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Preface 



This volume contains the proceedings of the joint conference on Formal Mod- 
elling and Analysis of Timed Systems (FORMATS) and Formal Techniques in 
Real-Time and Fault Tolerant Systems (FTRTFT), held in Grenoble, France, on 
September 22-24, 2004. The conference united two previously independently or- 
ganized conferences FORMATS and FTRTFT. FORMATS 2003 was organized 
as a satellite workshop of CONCUR 2003 and was related to three independently 
started workshop series: MTCS (held as a satellite event of CONCUR 2000 and 
CONCUR 2002), RT-TOOLS (held as a satellite event of CONCUR 2001 and 
FLoC 2002) and TPTS (held at ETAPS 2002). FTRTFT is a symposium that 
was held seven times before: in Warwick 1988, Nijmegen 1992, Liibeck 1994, 
Uppsala 1996, Lyngby 1998, Pune 2000 and Oldenburg 2002. The proceedings 
of these symposia were published as volumes 331, 571, 863, 1135, 1486, 1926, 
and 2469 in the LNCS series by Springer. 

This joint conference is dedicated to the advancement of the theory and prac- 
tice of the modelling, design and analysis of real-time and fault-tolerant systems. 
Indeed, computer systems are becoming increasingly widespread in real-time and 
safety-critical applications such as embedded systems. Such systems are charac- 
terized by the crucial need to manage their complexity in order to produce 
reliable designs and implementations. The importance of timing aspects, per- 
formance and fault-tolerance is continuously growing. Formal techniques offer a 
foundation for systematic design of complex systems. They have beneficial ap- 
plications throughout the engineering process, from the capture of requirements 
through specification, design, coding and compilation, down to the hardware 
that embeds the system into its environment. The joint conference is devoted 
to considering the problems and the solutions in designing real-time and/or 
fault-tolerant systems, and to examining how well the use of advanced design 
techniques and formal methods for design, analysis and verification serves in 
relating theory to practice. 

We received 70 paper submissions out of which 24 were selected for publica- 
tion. Each submission received an average of 3 referee reviews. The conference 
program included three invited talks, by Greg Bollella (Sun Microsystems Lab- 
oratories), Paul Feautrier (LIP, Ecole Normale Superieure de Lyon, France) and 
Peter Ryan (School of Computing Science, University of Newcastle upon Tyne, 
UK). 

We would like to thank all the Program Committee members and the sub- 
referees. Our thanks also go to the Steering Committee members of FORMATS 
and FTRTFT. We also thank Claudia Laidet who assisted us in organizing the 
conference. 
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From Software to Hardware and Back 

(Abstract) 



Paul Feautrier 

Ecole Normale Superieure de Lyon 



One of the techniques for the formal design of embedded systems is - or should 
be - Behavioral Synthesis. Among its many advantages, one can quote easier 
testing and more complete architecture exploration. 

Behavioral Synthesis has many aspects in common with another field, Au- 
tomatic Parallelization. The reason is that, since von Neuman, software is in- 
herently sequential, while hardware, which belongs to the real world, is parallel. 
The aim in Automatic Parallelization is to transform a sequential program into 
an equivalent program, suitable for efficient execution on a parallel high perfor- 
mance system. A specification being given, the aim of Behavioral Synthesis is to 
generate a VLSI circuit which conforms to the specifications. Most often, speci- 
fications come in the form of high-level algorithmic languages, like Matlab, C or 
Fortran. Hence, the outline of a BS system is: - find parallelism in the specifica- 
tion; - while in AP this paralellism is expressed in a form suitable for execution 
on a parallel computer (Open MP, MPI, fork-join), here it has to be expressed in 
a form suitable for synthesis (multiple combinatorial circuits, registers, control 
automata) . 

It is striking to notice that the two fields share many concepts, sometime un- 
der different names. Ressources, schedules and allocations are common objects, 
but sometime dependences become races or hazards. If we compare the state of 
the art in the two fields, one observe that Behavioral Synthesis lags behind Au- 
tomatic Parallelization in the handling of loops and arrays. This is probably due 
to technological restrictions. It has not be possible to implement large amounts 
of memory on a chip until the advent of submicronics technologies. 

Classical parallelization aimed only at detecting parallel loops, without 
changing much of the structure of the original program. It was soon noticed 
that the amount of parallelism that can be found in this way is limited, and that 
more aggressive methods are needed. Several authors simultaneously noticed, 
around 1990, that regular programs can be represented as geometric objects 
(simple set of points in n-space), and that most methods for finding parallelism 
are just changes of basis in this space. This new outlook allowed one to ex- 
tend familiar techniques beyond basic blocks, and gave rise to powerful new 
methods for scheduling, allocation, memory management and code generation. 
These methods can be directly applied to Behavioral Synthesis, to replace such 
makeshift techniques as loop unrolling, loop fusion and loop splitting, strip- 
mining and loop coalescing. However, there are many unsolved problems, which 
would greatly benefit Behavioral Synthesis. One of them is scheduling under re- 
source constraints, which is known to be already NP-complete for basic blocs. 



Y. Lakhnech and S. Yovine (Eds.): FORM ATS/FTRTFT 2004, LNCS 3253, pp. 1-2, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 




2 



Paul Feautrier 



There are several heuristics which can be applied to loop scheduling, but the 
results are not satisfactory at present. Similarly, scheduling for a given amount 
of memory, or, conversely, finding the minimum amount of memory (or registers) 
to support a given schedule are important problems in synthesis. 

Will a good system for Behavioral Synthesis influence software design and 
implementation? One may notice that general purpose processors are uniformly 
mediocre for all applications, while specific architectures like vector processors 
are highly efficient for restricted applications. With the advent of reconfigurable 
systems (e.g. FPGA) one may be tempted to redesign the architecture according 
to the needs of each application. The only problem with this idea is that synthe- 
sis, especially low level synthesis, is very slow compared to ordinary compilation. 
Hence, the idea will be limited to stable, high usage programs or to small pieces 
of big programs. 




Of Elections and Electrons 

(Abstract) 



Peter Y. Ryan 
University of Newcastle 



Digital voting technologies are currently very topical and hotly debated, espe- 
cially in the US with a presidential election looming. It is essential that voting 
systems are both trustworthy and trusted. Various schemes and technologies have 
been proposed, and indeed deployed, that take drastically different approaches 
to achieving assurance. At one end of the spectrum, we have approaches that 
claim to achieve assurance through system verification and testing. At the other 
end, we have the run-time monitoring school. Another way to characterize this 
dichotomy is to observe that the former approach seeks to verify the electoral 
system, the latter seeks to verify an actual election. 

The first approach is typified by the touch screen (DRE) machines currently 
widely used in the US. Many researchers are profoundly mistrustful of the claims 
for verification and trustworthiness of such systems and indeed recent reports 
indicate that such mistrust is well placed, see for example [1], 

The second approach is exemplified by the cryptographic schemes proposed 
by, for example, Chaum [2] or Neff [3]. These strive for complete transparency, 
up to the constraints imposed by the ballot secrecy requirements, and seek to 
achieve assurance via detailed monitoring of the process rather than having to 
place trust in the system components. 

In between we find the paper audit trail approach (the “Mercuri method”) 
that seeks to provide the means to check on the performance of DRE machines 
and recovery mechanisms [4, 5] . 

In this talk I discuss the dependability and security requirements of election 
systems, primarily accuracy and secrecy but also availability and usability. I 
outline the extent to which these various approaches meet these requirements. 

I then discuss in more detail the design philosophy of the Chaum /Neff school 
and illustrate this with a variant of the Chaum scheme. These schemes support 
voter verifiability, that is, they provide the voter with a means to verify that 
their vote has been accurately recorded and counted, whilst at the same time 
maintaining ballot secrecy. The essence of this scheme is to provide the voter 
with a receipt that holds their vote in encrypted form. The challenge is to ensure 
that the decryption of the receipt that the voter sees in the booth is identical 
to the decryption performed by a sequence of tellers. The scheme combines a 
cut-and-clroose protocol in the booth followed by robust anonymising mixes. 

The original scheme uses visual cryptography to generate the encrypted re- 
ceipts on a pair of transparent sheets. Correctly overlaid in the booth, these 
sheets reveal the ballot image. Separated they appear just to be random pixels. 
The voter retains only one of these sheets. The scheme presented here uses a sim- 
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pier mechanism based on the alignment of symbols on adjacent strips of paper. 
This appears to be both simpler to explain and understand and to implement. 

We also note that the dependability of complex computer based systems 
depends as much on socio-technical factors as the purely technical details of 
the design. We briefly describe error handling and recovery strategies for this 
scheme. 

Poorly conceived, implemented and maintained voting technology poses a se- 
rious threat to democracy. Confidence in the integrity of voting systems appears 
to be at an all time low in the US for example. Schemes with a high degree of 
transparency along the lines of the Clraum or Neff proposals hold out the hope of 
restoring some of that confidence. In the words of Sylvio Micali at the DIMACS 
workshop on Security Analysis of Protocols. It is our duty as cryptographers to 
save democracy [7]. 
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Formal Verification of an Avionics Sensor Voter 

Using SCADE* 



Samar Dajani-Brown 1 , Darren Cofer 1 , and Amar Bouali 2 



1 Honeywell Laboratories, Minneapolis, MN, USA 

samar . daj ani-brown@honeywell . com 

2 Esterel Technologies, Villeneuve-Loubet, France 



Abstract. Redundancy management is widely utilized in mission criti- 
cal digital flight control systems. This study focuses on the use of SCADE 
(Safety Critical Application Development Environment) and its formal 
verification component, the Design Verifier, to assess the design correct- 
ness of a sensor voter algorithm used for management of three redundant 
sensors. The sensor voter algorithm is representative of embedded soft- 
ware used in many aircraft today. The algorithm, captured as a Simulink 
diagram, takes input from three sensors and computes an output signal 
and a hardware flag indicating correctness of the output. This study 
is part of an overall effort to compare several model checking tools to 
the same problem. SCADE is used to analyze the voter’s correctness 
in this part of the study. Since synthesis of a correct environment for 
analysis of the voter’s normal and off-normal behavior is a key factor 
when applying formal verification tools, this paper is focused on 1) the 
different approaches used for modeling the voter’s environment and 2) 
the strengths and shortcomings of such approaches when applied to the 
problem under investigation. 



1 Overview of Sensor Voter Problem 

With the advent of digital flight control systems in the mid 1970s came the 
capability to implement monitoring, redundancy management, and built-in-test 
functions in software without the need for additional hardware components. The 
sensors used in these flight control systems exhibit various kinds of determinis- 
tic and non-deterministic errors and failure modes including bias offsets, scale 
factor errors, and sensitivity to spurious input and environmental factors. Re- 
dundant sensors are used to compensate for these errors and failures. Sensor 
failure detection algorithms (“voters”) must detect and isolate a sensor whose 
output departs by more than a specified amount from the normal error spread. 
Publications such as [8] and [9] describe redundancy management schemes used 
in flight control systems. 

This paper builds on earlier work in [6] and is part of an overall effort to 
compare several model checking tools when analyzing the correctness of avionics 
components. We have used as a test case a typical voter algorithm with many 

* This work has been supported in part by NASA contract NAS1-00079. 
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of the features taken from [8] . This class of algorithms is applicable to a variety 
of sensors used in modern avionics, including rate gyros, linear accelerometers, 
stick force sensors, surface position sensors, and air data sensors (e.g. static and 
dynamic pressures and temperature). 

Formal methods techniques, though embryonic to software development, have 
been used in [6] and [7] to analyze or verify safety critical properties of avionic 
software. We have found that the most challenging aspect of any formal verifi- 
cation effort is the specification of the environment in which the verified system 
operates. The environment captures all the assumptions about how the system 
interacts with the rest of the world, including physical constraints, timing con- 
siderations, and fault conditions. It should permit all interesting behavior of 
the system, while prohibiting any unrealistic behaviors. Much of our work has 
centered on creating good environment models for the sensor voter. 

In this study, we use the SCADE, a tool suite for the development of real-time 
embedded software and its formal verification component, the Design Verifier, 
to analyze correctness of the voter’s algorithm. 

1.1 Sensor Voter Algorithm 

Simulink [13] is a computer aided design tool widely used in the aerospace 
industry to design, simulate, and auto-code software for avionics equipment. 
The voter’s algorithm was developed in Simulink. It incorporates the typical 
attributes of a sensor management algorithm and is intended to illustrate the 
characteristics of such algorithms. The voter takes inputs from three redundant 
sensors and synthesizes a single reliable sensor output. Each of the redundant 
sensors produces both a measured data value and self-check bit (validity flag) 
indicating whether or not the sensor considers itself to be operational. Data flow 
of the system is shown in Figure 1. A brief description of the voter’s design and 
functionality follows: 

1. Sample digitized signals of each sensor measurement at a fixed rate appropri- 
ate for the control loop, e.g. 20 Hz. A valid flag supplied by sensor hardware 
indicating its status is also sampled at the same rate. 




Sensor3 



Fig. 1 . Voter model and environment. 







Formal Verification of an Avionics Sensor Voter Using SCADE 



7 



2. Use the valid flag and comparison of redundant sensor measurements to 
detect and isolate failed sensors. 

3. Output at a specified sample rate a signal value computed as a composite 
average of the signals of non-faulty sensors. Also output, at the same specified 
rate, the status of the composite output by setting a ValidOutput flag. 

4. Tolerate “false alarms” due to noise, transients, and small differences in 
sensor measurements. Sensors are not marked failed if they are operating 
within acceptable tolerances and noise levels. 

5. Maximize the availability of valid output by providing an output whenever 
possible, even with two failed sensors. 

6. The algorithm is not required to deal with simultaneous sensor failures since 
this is a very low probability event. 

A more detailed description appears in earlier work using the symbolic model 
checker SMV [12] [10] to analyze correctness of the voter’s algorithm [6]. 

1.2 Sensor Voter Requirements 

Behavioral requirements for the sensor voter fall into two categories: 

1. Computational, relating to the value of the output signal computed by the 
voter. 

2. Fault handling, relating to the mechanisms for detecting and isolating 
sensor failures. The required fault handling behavior of the voter is shown 
in Figure 2. 

Each of these categories includes requirements for reliability (correctness under 
normal operation) and robustness (rejection of false alarms). 

Computational Requirements 

The main purpose of the sensor voter is to synthesize a reliable output that agrees 
with the “true” value of the environmental data measured by the redundant 
sensors. Therefore under normal operation, the output signal should agree with 
this true value within some small error threshold. In the absence of sensor noise 
or failures the two values should agree exactly. During the interval between the 
failure of a sensor and the detection of the failure by the voter, it is expected that 
the output value will deviate from the true value due to the continued inclusion 
of the failed sensor in the output average. During this reconfiguration interval 
the transient error in the output signal must remain within specified bounds, 
regardless of the type or magnitude of the failure. 

Fault Handling Requirements 

The required fault handling behavior for the voter is shown in Figure 2. Initially, 
all three sensors are assumed to be valid. One of these sensors may be eliminated 
due to either a false hardware valid signal from the sensor or a miscomparing 
sensor value, leading to the “2 valid” state. If one of the two remaining sensors 
sets its hardware valid signal false, it is eliminated leading to the “1 valid” state. 
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Valid sensor goes 



1 valid sensor goes 




Eliminate common sensor. 



Valid sensors have 
persistent miscompare. 
(Both are still valid) 



Fig. 2. Fault states of the sensor voter. 



If this sensor subsequently sets its valid flag false it is eliminated and the voter 
output is set to not valid. A special situation occurs when there are two valid 
sensors. If these sensors miscompare, the voter cannot determine which may be 
faulty. Although there are other possibilities, this voter algorithm continues to 
keep both sensors in service but it sets its output valid flag false. If the sensors 
subsequently agree in value, the voter returns to the “2 valid, no miscompare” 
state and sets its output valid flag to true. Alternatively, if one of the two sensors 
identifies itself as faulty (via the hardware valid flag) it can be isolated by the 
voter and the other sensor signal used as the correct output value. 

Each of these categories includes requirements for reliability (correctness un- 
der normal operation) and robustness (rejection of false alarms). 



2 Overview of SCADE 

SCADE (Safety Critical Application Development Environment) 1 is a tool suite 
for the development of real-time embedded software. It provides a programming 
language called SCADE, a simulation environment, automatic code generation, 
and formal verification. 



2.1 The SCADE Design Language 

SCADE is a graphical deterministic, declarative, and structured data-flow pro- 
gramming language based on the Lustre language [1,2]. SCADE has a syn- 
chronous semantics on a cycle-based and reactive computational model. The 
node is the basic operator or design block of the language and can be either 
graphical or textual. A control system is modeled in SCADE via nodes con- 
nected to one another in a manner similar to how control systems get modeled 

1 SCADE is distributed by Esterel Technologies (www.esterel-technologies.com). 
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in Simulink. Some of the advantages of SCADE are that while developing the 
model, the simulator component can be used to check for syntax and semantic 
correctness of the nodes. SCADE is a strongly typed language with predefined 
and user defined types. The language allows for arithmetic operations on real and 
integer values, logical operation on Boolean variables, control flow operations (if 
then else, case) and temporal operators to access values from the past. 

Figure 3 shows a graphical SCADE node programming a simple counter of the 
occurrence of an event. The occurrence of an event is given as a Boolean input 
flow called Event. The counter produces an output integer flow called Count. 
The Lustre textual data-flow equations counter-part of the graphical node are 
listed in the figure as well. The fby operator is a memory element, whose output 



node CountEvent (Event : bool) returns (Count: int) 
var 

_L1 : int;_L2: int; 
let equa eq.CountEvent [ , ] 

_L1 = if Event then (1 + _L2) else (_L2) 

_L2 = fby(_Ll ,1,0) 

Count = _L2 
tel 

Fig. 3. A simple SCADE node. 




is equal to its input value after a fixed number of cycles. For instance, _L2 = 
fby(_Ll ,1,0) means _L2 is equal to _L1 after 1 cycle. At the initial cycle, 
_L2 is equal to 0. The rest of the node behavior is straightforward. 

2.2 Formal Verification in SCADE 

Design Verifier (DV) is the formal verification module of SCADE 2 . DV is a 
model checker of safety properties. Safety properties are expressed using the 
SCADE language. There is no specific syntax framework as in SMV to express 
liveness properties in the form of CTL logic [11]. A SCADE node implementing 
a property is called an observer [3] . An observer receives as inputs the variables 
involved in the property and produces an output that should be always true. 
Figure 4 shows how a new model is built connecting the model to verify to 
the observer property. DV is used to check if the property observer’s output 
is always true. If it is, the property is said to be Valid, otherwise it is said 
to be Falsifiable, in which case DV generates a counter-example that can be 
played back in the SCADE simulator for debugging purposes. DV is able to 
verify properties mixing Boolean control logic, data-value transformations, and 
temporal behavior. DV core algorithms are based on Stalmarck’s SAT-solving 
algorithm for dealing with Boolean formulae, surrounded by induction schemes 
to deal with temporal behavior and state space search [4] . These algorithms are 
coupled with constraint solving and decision procedures to deal with the data- 
path. SAT-based model-checking has shown interesting performances compared 

2 DV is based on Prover Technology proof engines (www.prover.com). 
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Fig. 4. Verification by means of observers. 



to BDD-based model-checking [5] , in particular for many real-world applications 
with enormous formulas that could not be handled by current BDD packages [4] . 

DV, similar to SMV, allows for restriction of the state space while verifying 
a property through a notion of assertions. A SCADE assertion on an input or 
output variable is similar to an SMV invariant and prunes the search space to 
only those instances where the assertion holds true. Therefore, in using SCADE 
and the DV, our work let us use and compare DV and SMV as applied to the 
same problem. 

3 Modeling and Analysis Using SCADE 

The overall SCADE model of the system under consideration, as shown in Fig- 
ure 5, consists of the voter model and the environment model. The voter’s model 
corresponds to the “real” system that we wish to analyze. It is composed of a hi- 
erarchal representation of graphical and textual SCADE nodes. The environment 
model consists of three sensor models and a world model and is intended to be 
a realistic description of the environment driving the voter’s functionality. The 
distinction between the system under study (voter model) and its environment 
(the sensors and world models) is an important one. The voter’s model should 
be modeled with the highest possible fidelity, its structure should be traceable 
to the original design and it should conform as closely as possible to code gener- 




Fig. 5. Top Level SCADE Model of Voter and Environment System. 
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ated from the design. The level of abstraction used in modeling the environment 
should be carefully optimized; for we must ensure that the environment will ex- 
ercise all possible behaviors of the voter (including faulty conditions) without 
introducing any unrealistic behavior [6]. 

The design of a realistic environment is crucial when verifying “real” system 
properties using model checking techniques. We can consider the environment as 
the outside world that interacts with the system under study and the systems’ 
requirements as collections of statements about the outside world that we want 
the system to help make true. The design of a good environment must model the 
outside world requirements accurately without introducing erroneous behavior. 
The environment model must capture all general, including faulty, expected 
behavior of the outside world that interfaces with the system to be verified. 

Design of good environment models is gaining recognition as an important re- 
search problem. For example, in [17], automatically generated environment mod- 
els are used to verify the source code of the Windows kernel. The environment 
to be modeled is the application programming interface (API). The environment 
model is generated via a “training” process by taking several programs that use 
a common API and applying model checking to create abstractions of the API 
procedures. These abstractions are then reused on subsequent verification runs 
to model-check different programs utilizing the same API. 

In our study, we use knowledge gained from counter examples generated from 
using an environment model to modify/refine newer environment models that 
accurately capture the requirements. We expect our system to handle a range 
of sensor signals some of which are faulty signals but we must not have more 
than one sensor exhibiting faulty behavior at any given time; it is true about 
the outside world that no two sensors can become faulty simultaneously as the 
probability of such an event is very close to zero. As discussed in later sections, 
we capture this property in two different ways through different environment 
models. The environment models are developed manually and results of three 
such models are reported in later sections. 

Our SCADE model of the voter was developed based on the voter’s origi- 
nal Simulink design. SCADE provides a gateway for automatic translation of 
Simulink models, but we have not evaluated this capability in our current study. 

The sections below list the three approaches used to model the voter’s en- 
vironment. Whenever possible, we compare our modeling approach in SCADE 
versus our earlier work using SMV. Results to follow were computed using a 
Pentium III PC with 512 MBytes of RAM running Windows 2000. 

3.1 Modeling Assumptions and Simplifications 

The following assumptions and simplifications have been made in modeling the 
sensor voter using different environments. 

Fault Injection 

A Boolean flag is read from the outside world by the sensor model; such a 
flag injects non-deterministic faulty behavior in the sensor. The sensor model is 
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designed such that when this flag is set then the sensor is faulty in both hardware 
and signal. To test correctness of the voter’s fault handling and computational 
requirements when signal or hardware faults occur, we use different values for 
the persistence value constant; by the voter’s design, this constant is the number 
of cycles that a sensor is allowed to differ in signal prior to being eliminated by 
the voter. We define a “signal fault” as the fault detected by the voter when a 
sensor differs in signal from the good expected signal value. To test for a signal 
fault, we set persistent threshold equal to two. This assumption guarantees that 
signal failure must be detected and isolated by the voter in two cycles; i.e. in one 
cycle after the cycle where the fault occurs. We also define a sensor’s “hardware 
fault” as the fault detected by the voter due to hardware failure in the sensor; by 
the voter’s design, the hardware fault should be detected and the faulty sensor 
should be isolated in three cycles. To test for a hardware fault, we set persistent 
threshold equal to four. Thus the isolation and detection of hardware fault which 
requires three cycles to complete; i.e. in two cycles after the cycle where the fault 
occurs, will occur prior to the detection and isolation of the signal fault which 
in this case requires four cycles to complete. 

Time Model 

The SCADE models do not explicitly model time. Each execution step in the 
model corresponds to one sample in the Simulink design, independent of the 
actual sample rate. The only place where time enters into the original Simulink 
model is a Gain block which multiplies its input by a constant (gain). This gain 
constant was adjusted so that the model is independent of time. A detailed 
justification for modeling the voter’s algorithm independent of time is described 
in [6]. 

No Simultaneous Sensor Failures 

The algorithm assumes that two sensors cannot fail at the same time. In partic- 
ular, the first sensor failure must be detected and isolated by the voter before 
it is able to respond to a second failure. This fault hypothesis is reasonable if 
sensor failures are independent so that the probability of simultaneous failures 
is sufficiently low. 

We approached this single fault hypothesis in two ways: 1) In the first envi- 
ronment model, referred to in later sections as “Environment Model I” , we used 
a similar approach to our earlier work in SMV. Given that it is the case the 
number of valid sensors plus the number of sensors declared faulty is bounded 
between three and four inclusive, we used a SCADE assertion to satisfy this 
bound. 

Note that the number of faulty sensors (numFaulty) is computed within the 
environment as sensors become faulty but the number of valid sensors (num- 
Valid) is computed within the voter and its correctness must be verified indepen- 
dently. With this in mind, we developed different environment models, referred 
to as “Environment Model II” and “Environment Modell III” , that handled the 
single fault hypothesis by asserting that the number of faulty sensors ( a value 
computed within the environment) is always less than or equal to one. 




Formal Verification of an Avionics Sensor Voter Using SCADE 



13 



Noise Free Signals 

The models developed did not deal with signal noise. In all of our analysis, we 
assume that any deviation in the sensor signals is a fault. Our verification work 
focused on the voter’s ability to identify and isolate faulty sensors, rather than 
on robustness requirements. 

4 Analysis 

We will use the following notation to express our properties throughout this 
section, where HF and SF mean Hardware Failure and Signal failure respectively. 

p 1 q True iff q is true i cycles after the cycle where p is true. 

VS The number of valid sensors. 

Fhi,Fh 2 ,Fh 3 True if there is a HF of one, two, and three sensors 
respectively. 

F s i,F S 2 True if there is a SF of one and two sensors respectively. 

4.1 Fault Handling Requirements Properties 

The properties extracted from the fault handling requirements of Figure 2 that 
we want to formally verify can be grouped by the number of sensor failures. 

One Sensor Failure. Here are the properties when one sensor is detected as 
faulty. 

Hardware fault: 

(VS = 3 A ValidOutput A F^i) 2 Ff k (V S = 2 A ValidOutput ) 

This property means that if the number of valid sensors is 3, and the Voter’s 
output is valid, and there is one hardware faulty sensor, then after 2 cycles 
the number of valid sensors becomes 2 and the Voter’s output is valid. 

— Signal fault: 

(VS = 3 A ValidOutput A F s i) 1 (VS = 2 A ValidOutput ) 

This property means that if the number of valid sensors is 3, and the Voter’s 
output is valid, and there is one software faulty sensor, then after 1 cycle the 
number of valid sensors becomes 2 and the Voter’s output is valid. 

Two Sensor Failures. Here are the same properties when a second sensor is 
detected as faulty. 

Hardware fault: 

(VS = 2 A ValidOutput A Fh 2 ) 2 Ff k (VS = 1 A ValidOutput) . 

— Signal fault: 

(VS = 2 A ValidOutput A F s2 ) 1 k (VS = 2 A -i ValidOutput) . 

This property means that if 2 valid sensors miscompare in signal, then after 
1 cycle the output of the voter is declared invalid. Both sensors remain valid 
since the voter algorithm is not designed to determine the faulty sensor for 
this case. However, the faulty sensor will exhibit a faulty behavior in the 
following cycle and will get eliminated by the voter. This last special case is 
discussed in more detail in a later section. 
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Three Sensor Failures. Here are the same properties when a third sensor is 
detected as faulty. 

Hardware fault: 

(VS = 1 A ValidOutput A F h3 ) 2 Sf k (y g = q a ~<ValidOutput) . 

— Signal fault: 

If there is only one valid sensor in the system, then the voter can only 
eliminate this sensor based on a hardware fault, i.e. we cannot test for a 
signal fault since there is no other valid sensor to compare to. 



Sensor Elimination Property. When a sensor is eliminated by the Voter it 
will never be considered in any future computation. We express it as: ((VS = 
k ) — > ->(VS > k)),k € [0,2]. This property means that if the number of valid 
sensors becomes k then this value will never become a value greater than k. 

4.2 Environment Model I 
Sensor Model 

The sensor model captured as a SCADE graphical node takes as input a non- 
deterministic Boolean flag from the environment. A signal of one and a hardware 
valid flag is produced by the sensor if the Boolean flag is false (i.e. sensor not 
faulty); a signal of five and a hardware invalid flag is broadcasted when the 
Boolean input flag is true. In addition, logic combination of a single cycle delay 
and an or-gate are used so that once a sensor becomes faulty (i.e. Boolean 
input flag is true) it stays faulty and does not recover. This last quantity is 
also sent as output from the sensor and is used in calculating the numFaulty 
value. The assumption that a faulty sensor does not recover differs from our 
sensor model in SMV where we allowed a faulty sensor to recover its faulty 
behavior. Furthermore, we use only two input signal values {1,5} to indicate 
the faulty/non- faulty behavior of a sensor which is different than our analysis in 
SMV where we used a signal range of {1,2,3}. Assuming two input signal values 
is justifiable since in our analysis of the voter algorithm we only care about the 
difference between two signals. 

Environment Node 

This SCADE node is composed of three sensor nodes, a multiplexer node that 
groups and outputs the hardware valid flags of the sensors into an array of three 
Boolean values, a multiplexer that groups and outputs the signals broadcast 
by the three sensors into an array of three integers and a numFaulty node. 
The numFaulty node sums the Boolean flags sent by each sensor indicating its 
faulty /non- faulty status and outputs that sum as numFaulty. We restrict the sum 
of faulty and valid sensors to be bounded between three and four inclusive. This 
restriction guarantees our single fault hypothesis because it allows one sensor to 
become faulty and a second sensor cannot become faulty until the first faulty 
sensor is detected and eliminated by the voter. 
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Table 1. Verification Results. 



Property 


Time(secs) 


Result 


One sensor failure 


Hardware fault 


134 


Valid: a faulty sensor on a hardware fault 
is detected by the voter 


Signal fault 


3 


Valid 


Sensor elimination is final 


0.13 


Valid with persistent threshold = 2 (soft- 
ware fault) 


Sensor elimination is final 


0.14 


Valid with persistent threshold = 4 (hard- 
ware fault) 


Two sensor failures 


Hardware fault 


137 


Valid: a second faulty sensor on a hard- 
ware fault is detected by the voter 


Signal fault 


81 


Valid 


Sensor elimination is final 


0.11 


Valid with persistent threshold = 2 (soft- 
ware fault) 


Sensor elimination is final 


0.13 


Valid with persistent threshold = 4 (hard- 
ware fault) 


Three sensor failures 


Hardware fault 


137 


Valid: a second faulty sensor on a hard- 
ware fault is detected by the voter 


Signal fault 




Not relevant, see section 4.1 


Sensor elimination is final 


0.14 


Valid 



Verification of Fault Handling Requirements 

Table 1 summarizes the results we obtain when checking the properties. The 
first column recalls the name of the property. The second column gives the CPU 
time in seconds spent by DV to check the property. The third column gives the 
result of verification, which is either Valid to mean that the property holds, or 
Falsifiable in the opposite case, and some additional comments when necessary. 

Recall that in our sensor model, hardware and signal faults occur simulta- 
neously, therefore, we expect that the signal fault is detected by the voter in a 
number of cycles equal to the persistence threshold value (i.e. two) where the 
hardware fault should be detected in three cycles. Therefore, by setting persis- 
tence threshold equal to two, not only can we check that a second faulty sensor 
with a signal fault leads to a state where the voter’s output is declared invalid 
and the number of valid sensors is still equal to two; for we can also check whether 
this same sensor demonstrates a hardware failure in three cycles; i.e. in one cycle 
after it reached the state of 2 valid sensors and invalid input, the voter should 
be in the state of one valid sensor and valid output. We were able to verify that 

(US' = 2 A -i ValidOutput ) 1 (VS = 1 A ValidOutput). 

Drawbacks to Environment Model I 

1. One drawback to this sensor model is that a failed sensor remains faulty 
and continues to produce an invalid hardware flag and a bad signal. This 
means that we cannot test the voter’s ability to transition from the state 
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where the number of valid sensors is two and output is not valid to the state 
where the number of valid sensors is two and the output is valid as shown in 
Figure 2. A different sensor model is required to investigate this capability 
of the voter. 

2. The assertion that the number of valid sensors plus the number of faulty 
sensors is between three and four inclusive, coupled with the sensor design 
used allows the second faulty sensor on a software fault to manifest its fault 
as a hardware fault, thus transitioning to the state of 1 valid sensor and valid 
output. This design eliminates the possibility that the third healthy sensor 
manifests a faulty hardware behavior before the second fault is detected by 
the voter. 

4.3 Environment Model II 
Environment Node 

This SCADE node differs from the environment in the previous model in that 
the numFaulty node sums the Boolean flag read by each sensor from the outside 
world indicating its faulty/non- faulty status and outputs that sum as numFaulty 
as opposed to summing up the Boolean flag sent by each sensor indicating its 
faulty /non- faulty status. Such change is necessary in order to use the assertion 
that the number of faulty sensors is less than or equal to one (i.e. numFaulty 
<= 1). This assertion does not make use of the variable num Valid which is 
computed by the voter. The assertion guarantees the single fault hypothesis since 
it allows only one sensor to be faulty at any given time. The results obtained 
from this environment model are described below. 

Verification of Fault Handling Requirements 

Table 2 summarizes the results we obtain when checking the properties. For 
one sensor failure the verification attempt resulted in a counter-example where 
sensorl is faulty for one cycle (i.e. signal = 5), sensor3 is faulty for the next cycle 
(i.e. signal = 5) so sensorl being faulty agrees with sensor3 being faulty in the 
next cycle instead of being eliminated. Using the assertion that the number of 
valid and faulty sensors is between three and four inclusive prevented a situation 
where the second sensor becomes faulty before the first faulty sensor is eliminated 
by the voter. However, the assertion made use of numValid which is an output of 
the voter itself. When we avoid using numValid, and instead use the numFaulty 
<= 1 assertion, we permit more random behavior of the system and receive the 
counter example above. The problem is that we have not allowed enough time 
between faults for the voter to eliminate the sensor. For two sensor failures the 
verification resulted in a counter-example where sensorl is faulty for two cycles 
and is eliminated by the voter, after which sensor3 is faulty for one cycle (i.e. 
signal equals 5), then sensor2 is faulty for the next immediate cycle (signal = 
5 also). Therefore, sensor3 and sensor2, though faulty, agree on signal and we 
do not get to the state where the number of valid sensors is 2 but the output is 
not valid. The fact that we are not allowing enough time between faults causes 
this behavior to occur. This problem is addressed in Environment model III 
described below. 
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Table 2. Verification Results. 



Property 


Time(secs) 


Result 


One sensor failure 


Hardware fault 


88 


Valid: a faulty sensor on a hardware fault 
is detected by the voter 


Signal fault 




Falsifiable 


Two sensor failures 


Hardware fault 


116 


Valid: a second faulty sensor on a hard- 
ware fault is detected by the voter 


Signal fault 




Falsifiable 




goodSignalRanga 

Fig. 6. SCADE Model of Sensor used in Environment III. 



4.4 Environment Model III 
Modifications to Sensor Model 

Similar to the previous section, this environment model uses the assertion that 
numFaulty <= 1 and also assumes that a time delay that exceeds the thresh- 
olds for detecting a hardware or signal fault exists between sensor faults. The 
sensor model, Figure 6, is modified such that the fault Boolean flag for faulty 
sensor remains true for five cycles after which it is set to false thus allowing a 
second sensor to fail under the assumption that numFaulty <= 1 . Recall that 
a hardware fault must be detected in three cycles and we are using a persistent 
threshold of two and four for the detection of signal failure, thus the five cycle 
delay is justified. The sensor model is further modified to receive a signal range 
between one and five from the outside world; a non-faulty sensor broadcasts the 
signal received whereas a faulty sensor broadcasts the signal received plus one. 
Hence a faulty sensor always exhibits faulty behavior in signal. This assumption 
is valid because we are interested in the voter behavior when the sensors differ 
in signal. In all the analysis below we use an assertion that numFaulty <= 1 
and that the sensor signal range is between one and five inclusive. 
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Table 3. Verification Results. 



Property 


Time(secs) 


Result 


One sensor failure 


Hardware fault 


204 


Valid: a faulty sensor on a hardware fault 
is detected by the voter 


Signal fault 


101.6 


Valid 


Sensor elimination is final 


0.31 


Valid with persistent threshold = 2 (soft- 
ware fault) 


Sensor elimination is final 


0.23 


Valid with persistent threshold = 4 (hard- 
ware fault) 


Two sensor failures 


Hardware fault 


225 


Valid: a second faulty sensor on a hard- 
ware fault is detected by the voter 


Signal fault 


122.67 


Valid 


Sensor elimination is final 


0.19 


Valid with persistent threshold = 2 (soft- 
ware fault) 


Sensor elimination is final 


0.22 


Valid with persistent threshold = 4 (hard- 
ware fault) 


Three sensor failures 


Hardware fault 


0.22 


Valid: a second faulty sensor on a hard- 
ware fault is detected by the voter 


Signal fault 




Not relevant (see section 4.1) 


Sensor elimination is final 


O 

to 

00 


Valid 



Verification of Fault Handling Requirements 

Table 3 summarizes the results we obtain when checking the fault-handling prop- 
erties. Table 1 and Table 3 are verification results for the same properties with 
the exception that the single fault hypothesis used in table 3 is independent of 
any values computed by the voter. 

Property for the Output Signal Value. It is expected that there will be a 
transient condition in which the voter output data may differ from the signal 
received from the world when a sensor becomes faulty. However, after a certain 
threshold, the voter output data must agree with the signal received from the 
world. Using a delay of 2 cycles, a persistent threshold of 4, and asserting that 
numValid is greater than 0, we verified that: 

(■ worldSignal yf voterdata ) 2 ^ k ( worldSignal = voterdata) 

The verification completed in 10.4 seconds and produced a valid result. 

5 Conclusion 

In this paper we have used the formal verification capabilities of the SCADE 
Design Verifier to analyze an embedded avionics software design. Model checking 
is used to verify the correctness of the design with respect to its high-level fault- 
handling requirements. 
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The main contribution of this work is to demonstrate the significance of the 
environment model in verifying the design requirements of an algorithm. The 
process of capturing a system’s design requirements for algorithm development 
and subsequent software implementation is never an easy task. The design of a 
suitable environment model is centered around developing a model that drives 
the system to be implemented and tests the captured design requirements of the 
system. Our work shows that capturing and developing the correct environment 
model is a key issue and can be as hard as verifying correctness of the system 
itself. 
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Abstract. This paper addresses the question of extending the usual 
approximation and sampling theory of continuous signals and systems 
to those encompassing discontinuities, such as found in modern complex 
control systems (mode switches for instance). We provide a topological 
framework derived from the Skorokhod distance to deal with those cases 
in a uniform manner. We show how this theoretical framework can be 
used for voting on hybrid signals in critical real-time systems. 



1 Introduction 

Though the theory of distributed fault-tolerant systems advocates the use of 
clock synchronisation [9, 7], still many critical real-time systems are based on the 
GALS (globally asynchronous, locally synchronous) paradigm: in this framework, 
each computer is time-triggered but the clocks associated with each computer 
are not synchronised and communication is based on periodic sampling: each 
computer has its own clock and periodically samples its environment, i.e., the 
physical environment but, also, the activities of the other computers with which 
it communicates. When such an architecture is used in critical systems, there 
is a need for a thorough formalisation of fault tolerance in this framework. In 
a previous paper [5] we already formalised the concepts of threshold and delay 
voters. However there was in this paper some lack of symmetry between the two 
concepts: sampling continuous signals and threshold voting were very simply 
based on topological notions like uniform continuity and L 0 0 distance. On the 
contrary, sampling discrete event signals and associated delay voting were based 
on more ad-hoc notions. 

Later [4], we found that the use of the Skorokhod distance [3] was a way to 
overcome this lack of symmetry. More precisely, we showed that the discrete 
signals that could be sampled were those that were uniformly continuous with 
respect to this distance. This opened the way toward a generalisation to hybrid 
(mixed continuous-discrete) signals. 

* This work has been supported by the European Network of Excellence Artist and 
by the Airbus- Verimag CIFRE grant 2003-2006. 
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Moreover, we remarked that our previous study on voters was incomplete: 
in practice, it appears that people do not only use threshold voters and delay 
voters but also, and mainly, mixed threshold and delay voters. In these voters, 
a failure is detected if two signals differ for more than a given threshold during 
more than a given time. 

This paper is thus devoted to a formalisation of these voters based on the 
Skorokhod topology. More precisely, we show that if two signals are within a 
given Skorokhod neighbourhood and if one of them is uniformly Skorokhod con- 
tinuous, then we can design a 2x2 hybrid voter which will not raise an alarm as 
long as these conditions are fulfilled. In practice, this result allows us to finely 
tune the voter parameters as a function of the nominal (non-faulty) errors and 
delays resulting from: 

— the numerical and delay analysis of the sensors, 

— the algorithms used for computing outputs 1 

— and the architecture of communication between computing locations. 

The paper is organised as follows: in a second section, we provide basic def- 
initions. Section 3 defines an hybrid uniform bounded variability which is an 
hybrid generalisation of the corresponding notion on piece- wise constant signals. 
Section 4 recalls basic voting schemes and presents the mixed (hybrid) voter. 
Then we prove an intermediate (but important) result relating the Skorokhod 
topology with uniform bounded variability. Finally, we show the formal bases 
relating the topology and the voting schemes. 

2 Basic Definitions 

2.1 Signals and Systems 

We consider systems that have to operate continuously for a long time, for in- 
stance a nuclear plant control that is in operation for weeks or an aircraft con- 
trol that flies for several hours. Thus, the horizon of our signals is not bounded. 
Hence, a signal x is for us simply a piece- wise continuous function from SR to 
9?, that is to say, a function which is continuous but on a finite or diverging 
sequence of times {to, . . . ,t n , . . .}. This means, in particular, that left and right 
limits exist at each point in time. Furthermore, we assume that discontinuities 
are only of the first kind, such that the value at a given time is always within 
the interval made of left and right limits: 

For all t, 

x(t) £ [inf(x(f _ ), a:(t + )),sup(a;(t _ ), a;(f + ))] 

where, as usual, x(t~), ( x(t + )) is the left (right) limit of x at t. 

Finally, we assume that the signal remains constant before the first disconti- 
nuity time to- 

1 We can remark that this kind of method allows the use of diverse programming [2] 
which is one of the ways for tolerating design and software faults. 
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A system is simply a function S causally transforming signals, that is to say, 
such that S(x)(t) is only function of x(t'),t' < t. 

The delay operator A T is such that ( A T x)(t) = x(t — r), and a system is 
stationary (or time invariant) if Vr, S(A T x) = A T (S x). 

An even more restricted class of systems is the class of static or combinational 
systems, that is to say, systems that are the “unfolding” of a scalar function: 

= f(x(t)) 

2.2 Retiming and Sampling 

A retiming function r £ Ret is a non decreasing function from 5ft to 5ft. This 
is a very general definition which provides many possibilities. For instance, a 
piece-wise constant retiming function can be seen as a sampler: if a/ = 2 or, and 
if r is piece-wise constant, then, at each jump of r, a new value of x is taken and 
maintained up to the next jump. This allows us to define a periodic sampler r, 
of period T r by the piece- wise constant function (see figure 1): 

r(f) = [t/T r \ 

where [J is the floor function. 



Fig. 1 . A periodic sampling retiming. 



The following well-known lemma state a property of bijective retimings 
(. BRet ): 

Lemma 1 . A bijective retiming is both increasing and continuous and its inverse 
is continuous: it is an homeomorphism. 

Finally, retimings allow us to characterise static (or combinational) systems, that 
is to say, those systems which commute with retiming: 

Theorem 1 (Static systems). A static system S is such that, for any r £ Ret, 

S o r = r o S 
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3 Hybrid Uniform Bounded Variability 

We have already defined in [5] the topological framework of uniform continuity 
based on the L ^ distance. This notion finds its application in the continuous 
signal sampling theory. In the case of piece- wise constant signals, we have for- 
malised the ad-hoc concept of uniform bounded variability , UBV for short (closely 
linked to non Zenoness [1]). But the case of hybrid (mixed discrete-continuous) 
signals remained to be handled. We call hybrid signals those signals which are 
piece-wise continuous. One can easily remark that this definition encompasses 
the classical continuous and boolean signals. When trying to generalise the UBV 
definition of [4] to hybrid signals, we can remark that there can be several such 
generalisations. In the sequel, we propose two of them, a general and a strict 
one. 

We first remark that, in boolean signals, discontinuities have constant ampli- 
tude. Now, discontinuities can have different amplitudes and we introduce the 
jump function to characterise them: 

Definition 1 (Jump function). j x is the function evaluating the discontinuity 
amplitude of signal x at point t 



jx{t) = \x(t )~x{t +) | 

The following function counts the number of discontinuities in a given inter- 
val: 

Definition 2 (Discontinuity count function). 

dc x ,ti,t 2 (f) is the function counting the number of discontinuity points having 
discontinuity amplitude larger than e of a signal x in the interval [t \ , t 2 ] ■ 

dcx, tl ,t 2 (t) = card{ t\t 1 <t<t 2 A j x (t) > e} 

We can then define uniform bounded variability for an hybrid signal as: 

Definition 3 (Uniform Bounded Variability (UBV)). A signal x has uni- 
form bounded variability if 

1. there exists a positive (stable time) function T x such that, for any positive e 
and any interval \t\,t 2 \, 

| h -t 2 1 < T x (e) =» dc xM ,t 2 (e) < 1 

2. there exists a positive ( error) function r] x such that, for any positive e and 
any interval [t \ , t 2 \ not containing a discontinuity point , 

|*i - * 2 1 < Vx(e) => | x(t 2 ) - x(ti)\ < e 

This also means that, on the one hand, there is at least a time interval larger 
than T x (e) between any two jumps larger than e and, on the other hand, that x 
is “piece-wise uniformly continuous” . 



Mixed Delay and Threshold Voters 



25 



Yet, we can note that this definition does not ensure the possibility of finding, 
at any time, a “continuous interval” of minimum length. In this sense, it is a 
looser definition than the one provided for the Boolean case. This is why we can 
propose a stricter definition: 

Definition 4 (Strict Uniform Bounded Variability (SUBV)). A signal x 
is SUBV if it is UBV and 



lim e ^ 0 T x (e) = T x > 0 

Thus, T x is now the minimum time interval between any two discontinuities, 
whatever be the associated jumps. 



4 Hybrid Voting 

In this section we recall the classical threshold and delay voting schemes. Then 
we propose a 2/2 hybrid voter which is a mixture of these two aspects 2 . 



4.1 Threshold Voting 

Knowing bounds on the normal deviation between values that should be equal, 
easily allows the design of threshold voters. For instance, if x is UBV and con- 
tinuous and if 

i' = ior + e 



with 

- Ik - zd||oo < Vx{e) 

- IN |oo < e 

where 



| loo is the classical Too norm, i.e., for our piece-wise continuous signals 
with only first kind discontinuities: H^Hoo = sup t |x(i)|, 

— and id is the identity function. 

We can find a threshold e' = 2e and design a 2/2- voter: 

voter2/2(x, x' , e') = if \x — x'\ < t' 

then x 
else alarm 

such that the voter delivers a correct output in the absence of failure and, oth- 
erwise, delivers an alarm. 

2 In the usual terminology for voters, m /ri 2 means that m units out of ri 2 redundant 
ones should operate correctly in order that the redundant system operates correctly. 
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Notations. In this definition and in the sequel, algorithms are expressed using 
a functional notation, that is to say by abstracting over time indices, in order 
to stay consistent with design tools like Simulink 3 or Scade 4 . Thus, a signal 
definition x\ = X 2 means Vn £ N : X\(nT) = X 2 (nT) where T is the period of 
the computing unit running the algorithm. 



4.2 Delay Voting 

Let us consider boolean UBV signals x and x' which is, in normal operation, a 
delayed image of x: 

x' = x o r 

with a bound on the delay in correct operation: 

jjr - id||oo < t x 



There signals are received by some unit of period T . However, the assump- 
tion that correct computers have perfect clocks, is clearly not realistic. To be 
more realistic, one should consider clock drifts. A frequent assumption is that 
clock drifts are bounded, either because the mission time is bounded or extra 
mechanisms allow for detecting exceedingly large drifts. Then there exist lower 
(T m ) and upper (Tm) bounds for T and, in each condition involving T, it should 
be replaced by the bound which makes it more pessimistic. We thus assume 
Tm<T< T m . 

We also assume t x + Tm < T x ( 1). This assumption guarantees that the joint 
effect of the delay and the sampling at rate T (which can induce an additional 
delay) cannot miss any change of input value (which, by assumption last at least 
T,(l)). Then, 



— the maximum time interval where the two signals may continuously disagree 
is obviously t x , 

— the maximum number of samples where two correct copies continuously dis- 
agree is 



nmax = 



t x 

T 

L ± m _ 



+ 1 



This allows us to design delay voters for delay booleans signals. For instance, 
a 2/2 voter could be: 

Definition 5 (2/2 delay voter). 



voter2/2(x\,X2,nmax) = x 



where x, n = if X\ = X 2 

thenxi, 0 

else if Z\q n < nmax — 1 
then A^x, A^n+1 
else alarm 

3 http://www.mathworks.com 

4 http:/ /www. esterel-technologies.com 
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where A^ q is the delay operator such that A^ 0 x(t) = x{t — r) with initial value 
x 0 . 



— this voter maintains a counter n with initial value 0, and its previous output, 
with some known initial value x0 7 

— whenever the two inputs agree , it outputs one input and resets the counter, 

— else, if the counter has not reached nmax — 1, it increments it and outputs 
the previous output, 

— else it raises an alarm. 

Theorem 2. voter2/2 raises an alarm if the two inputs disagree for more than 
nmaxTM and otherwise delivers the correct value with maximum delay ( nmax + 

1 )T m . 



4.3 Hybrid Delay-Threshold Voting 

Can we mix now the two previous voters, the threshold and the delay one? This 
would amount to define an hybrid voter: 

Definition 6 (2/2hybrid voter). 

hybjvoter2/2(x,x' 7 nmax 7 t') = y 

where y 7 n = if \x — x'\ < e' 

then x , 0 

else if AqH < nmax — 1 
then A^ o y 7 A^n+1 
else alarm 

— this voter maintains a counter n with initial value 0, and its previous output, 
with some known initial value x0 7 

— whenever the two inputs threshold-agree, it outputs one input and resets the 
counter, 

— else, if the counter has not reached nmax — 1, it increments it and outputs 
the previous output, 

— else it raises an alarm. 

On which condition could we state the following desirable proposition? 

Theorem 3 (Hybrid voter property). hyb_voter2/2 raises an alarm if the 
two inputs differ for more than e’ during more than nmaxTM and otherwise 
delivers the correct value with maximum delay ( nmax + 1 )Tm- 

The SUBV Case. Let us consider an hybrid signals x' which is, in normal 
operation, a delayed and perturbed images of the SUBV signal x: 

x' = x o r + e 

with bounds e on errors and r on delays: 
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I |e| |oo ^ C 
||r - idWoo < t 

These two signals are received by some unit of period T (T m < T < Tm) and 
we assume r + Tm < inf{T x ,, rj x (e)}. 

Then we can find a threshold e' = 2e such that (3) holds: 



— the maximum time interval where the two signals may continuously differ 
more than e' is obviously r, 

— the maximum number of samples where the two signals may continuously 
differ more than e' is 



nmax 




■ 



The UBV Case. On the contrary, in the simpler UBV case, we can find exam- 
ples for which (3) does not hold. Let us consider the piece-wise constant signal 
x c (see Fig. 2) with the sequence of discontinuity points and corresponding jumps 
indexed on 0 < n,p < n: 



t Xc {n,p) = n + 



jx c (t Xc ( n ,p)) = 



1 



On the one hand, it is easy to check that this signal is UBV, with T Xc (e) — e 2 , 
but not SUBV because lim e ^ 0 T Xc (e) = 0. On the other hand, we cannot find a 
voter for this signal because its “average” slope is ever increasing. For any f , T, 
we have: 

x c (t + T) - x c (t ) ^ _ r 
T ~ V 

In the following section we present the Skorokhod topology which will let us 
deal with hybrid signals in a uniform manner. This common framework lets us 
calculate and finely tune the voter parameters as function of the input properties. 



5 The Skorokhod Topology 

5.1 The Skorokhod Distance 

This distance [3, 8] has been proposed as a generalisation of the usual L x dis- 
tance so as to account for discontinuities. 

Definition 7 (Skorokhod distance). 

d s (x,y) = inf | \r - id\ |oo + | \x - y o 

rEBRet 

where BRet is the set of hijective retimings. 
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x c 




Fig. 2. An example where x c is increasing with an average slope y/t. 



We see here the idea of this definition: instead of comparing the signals at the 
same times, we allow shifts in time before comparing points, provided the shifts 
are bijective, i.e., we don’t miss any time. In this definition, the use of bijective 
retimings is fundamental. Otherwise, it could be easily shown that it would not 
be a distance: for instance symmetry and triangular inequality could be violated. 

But this distance is not easy to manipulate because it sums up delays and 
errors. Hence, we adopt below an equivalent topology which is more flexible. 



5.2 A Skorokhod Topology 

Definition 8 (Skorokhod tube). Let x be a signal , r > 0 and e > 0. We call 
Skorokhod tube centred at x with t and e as parameters, the set: 

B(t , e,x) = {y | 3 r v G Bret , \ \r v - id\\oo < r A ||x - y o r y ||oo < e} 

It is easy to see that these tubes form a topological basis and define a topology 
which is equivalent to the one induced by the Skorokhod distance. 

Definition 9 (Uniform Skorokhod Continuity (USC)). A signal x is uni- 
formly Skorokhod continuous if there exists a positive function 9 X from delays 
and errors to delays such that, for all e > 0, r > 0 and retiming r, 

||r - *d||oo < 9 x (t, e) => x o r G B(t, e,x) 

where B denotes the closure of B. 

In this definition of uniform continuity, we dissociate errors and delays and 
this allow us to operate separately on these two parameters. But we preserve their 
dependence through the error function 9 X which insures that a small distortion 
of a reference signal x remains in a specified Skorokhod tube (see Fig. 3). 
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Fig. 3. Skorokhod tube around a reference signal. 



5.3 Relation with Tube Languages [6] 

In [6], a topological notion of robust hybrid automata was defined which looks 
very close to this one. The idea is also to allow both deviations in value and in 
time and this is achieved by considering a signal x as a set of couples {x(t),t \ t £ 
5ft}. Then the tube distance dt between two signals x and y is defined as the 
Hausdorff distance between the two sets 5 : 

d t (x,y ) = sup{sup(inf(|a;(f) - y(t')\ + | ) , sup(inf (| - y(t)\ + \t - t ! |)} 

t t t t 

We can, however, state the following proposition: 

Theorem 4. The Skorokhod topology is finer than the tube one. 

This is due to the fact that, for any x, y, dt(x, y) < ds{x, y). As a matter of fact, 
the correspondence between t and t' in the tube distance can be any mapping 
while, in the Skorokhod distance, it is bound to be a bijective increasing one. 

5.4 Skorokhod Topology and Bounded Variability 

We can now state this important property of USC signals: 

Theorem 5 (USC signal property). If the signal x is USC there exists a 
positive (stable time) T x and discontinuity number n x functions such that, for 
any positive e and any interval [ti,t 2 \, 

|ti ^2 1 T x (c) =k dc 3 , ; t li £ 2 (e) ^ n.a,(e) 

Proof. Let e > 0, r > 0, cr = | and n x = |~ g ^ + 1]. Let us show that if x 

can have n x e-discontinuity points 6 arbitrarily close, it cannot be the case that: 

5 We present a variation with respect the original presentation which is based on the 
Euclidian distance, but this deviation is minor as all finite product distances are 
equivalent. 

6 An e-discontinuity point is a point where the signal yields a jump amplitude larger 
than e. 
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V r £ Ret \\r — id\\oo < Ox{t, a) => x o r £ B(r,a,x) 

Let us show first that we can design a retiming r which erases ( n x — 1) a - 
discontinuity points out of any n x a-discontinuity points closer than 29 x (t, a). 
Let t\, . . . t nx such a tuple. 

h < t Ux < ti + 2,9 x (t, a) 

It suffices to take (see Fig 4): 

r{t~) = r(f+ ) 

If x were USC, we could find a bijective retiming r' such that | \r' — id\ |oo < r 
and \\x — x o r o r' Woo < | . 



2 9 x {t,q) 




Fig. 4. Example of a signal x with n x discontinuity points closer than 2 9(r,a). We 
show how r reduces the time interval [ti,tn x ] to a single point. Thus, r erases the 
signal x on this time interval. 



Let us consider t , an e-discontinuity point of x which was erased by r in 
an n^-tuple of e-discontinuity points. Note that, since we assume that x has 
n x e-discontinuity points arbitrarily close, it has an unbounded number of n x 
e-discontinuity points closer than 2 9 x (t,o) and, in any of these n x tuples, we 
can choose any of these points as t. Then we have: 

|a:(f - ) — £(t + )| < — x o r o r'{t~)\ + 

\x or o r'(t ~ ) — x o r o r'(t + ) \ + 

\x or o r’{t + ) — |a;(f + )| 
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Since t is an e— discontinuity point of x, 



| x(t ) — a:(f + )| > e 



Now, we can remark that xoror' has less than (n x — 1) a— discontinuity points 
in any 2(r + 0(t, cr)) time interval. This is due to the condition on n x as n x — 1 
points cannot partition a 2(r + 0(r, a)) interval into n x sub-intervals larger than 
2{T+e n { J' a)) < 2 0 x ( T ,a). 

Thus, among the (n x — 1) erased e— discontinuity points of x, there is at least 
one, which cannot be associated with an a— discontinuity point of x o r o r’ . Let 
the chosen t be such a point. We have: 



\xoror\t )-ioror , (t + )| < 



e 

3 



Hence, 



— < | x(t ) — xoror 1 (t )| + \x o r o r'(t + ) — |x(f + )| 
o 

This lets us state that there is at least one of these two terms which is strictly 
greater than |, which contradicts the hypothesis 



lore B(t, — , x) 

Corollary 1. If x is USC, then, for any e, in any time interval larger than 
T x (e), there exists a time interval larger than not containing any e— 

discontinuity point. 



We see here the effect of USC definition: it ensures us to find in the signal 
infinitely many stable intervals large enough and not too far from each other. 



5.5 The Voting Scheme 

The Skorokhod topology allows us now to give a wider answer to the question 
raised in 4.3 thanks to the following proposition: 

Theorem 6. Let x be a USC signal and y £ B(r,e,x). If 

0 < 2t < 26 x (t, e) < ^ , 

n x (e) + 1 

there exist positive T 1 ,T 2 such that, for any t, there exist t\,t 2 with 

l £ I] < I - l\ 
t\ + T 2 < t2 

such that, for any t' with t\ < t' < t 2 , 



W)-y{t') |<4e 



Mixed Delay and Threshold Voters 



33 



Proof. We first prove the following lemma: 

Lemma 2. Let x be a USC signal. Let e > 0 and 0 < r < 9 x (T,e) . If t\ < t 2 
are two points located within an interval larger than 2 9 X (r, e) not containing any 
e-discontinuity points and such that 

1 1 2 -ii| < 29(t , e) 



then, 



\x(ti) - x(t 2 ) | < 3e 



Proof. Let T = [a,/3] this interval. Let us define the point t such that: 

(if t\ < a + O x (T,e) then t = a + 9 x (r, e) 

< else if t 2 > (3 — 9 x {r,e) then t = (3 — 9 x {r,e) 

Y else t = tlJ f t2 

We can choose a retiming r with ||r — /d||oo < 9 x (t, e) satisfying r(t~) = t\ and 
r(t + ) = t 2 

To this r we thus can associate a bijective (hence continuous) r’ such that: 

{ \r'(t)-t\ < t 

l \x(ti) -x(r'(t )~) | < e 
[\x(t 2 )-x(r'(t )+) | < e 

Then 

|x(ii) - a:(i 2 )| < \x{t\) - x(r'(t)~) \ + \x(r'(t)~) - x(r'(t) + ) \ + \x(t 2 ) - x(r'(t) + )\ 
and 

\x(ti) - x(t 2 ) | < 2e + \x(r'(t)~) - x(r'(i) + )| 

The point t that we have chosen lies in all cases in the interval [a + r, (3 — r] . 
We can then check that r'(t) £]a,/3[ holds for any bijective retiming r' verifying 
1 1 r — Id | |oo < t. But, ]a,/3[ C T in which x has no jump larger than e, thus, we 
have obviously \x(r'(t)~ ) — x(r'(t) + )| < e. 

Hence, the two points t\ and t 2 are such that |a:(ti) — x(t 2 )\ < 3e 



Proof of the proposition. There exists ro G Bret such that ||ro — *d||oo < T an d 
||a; — y o ro| |c» < e. Let (ai)i £ jv the sequence of e-discontinuities of x and 
the sequence defined by 6j = r o(ai). From the sequence a,, we can extract the 
subsequence a, , which begins a stable interval, i.e., 



a H + 



T x (t) 
n x (e) + 1 



< a-ij+i 



We consider the retiming r such that: 



r(t) 



t if t e] max(a^ , 6^), min(a ij+ i, b ij+1 )\ 
min (ai^bij) if t G]min(a^,6 ij ),max(a lj .,6 ii )] 
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It is easy to remark that ||r — *d||oo < t. For all t in ] max(ai 3 - , .), min(aj i +i, 

6i+i)] we have: 



\x o r (t) -y O r(t)| = | x(t) - y(t)\ 

\x o r(t) -yor(t)\ < \x(t) -a!or 0 _1 (t)| + |xo r^(t) - y(t)\ 
\x o r(t) — y o r(t) \ < 4e 

because t and r ( ^ 1 (t ) fulfil the conditions of lemma 2. 

We can thus take 

Ti = 2 T x (e) 



which is the maximum length of any [max(<Zi. , &;.), max(aj . +1 +i, fri 3 - +1 +i)] inter- 
val, and 



T T x {e) 

2 n x (e) + 1 

which is the minimum length of any [max(ai 



- 2 r 

J ,bi j ),rnm(a i;i+1 ,bi j+1 )] 



interval. 



This proposition means that if a signal is within some neighbourhood of 
another USC signal, the two signals cannot continuously differ from more than 
a given threshold for more than a given time. More precisely, if 

Tm < T'l 



then, in normal operation, the two signals cannot differ from more than 4e for 
more than nmax samples, with: 



nmax 



I 

T m _ 



+ 1 



This property thus explicitly links signal properties to the voter parameters. 
This allows designing robust voters in critical real time embedded systems. 



6 Conclusion 

This paper has intended to provide a satisfactory theory for merging together 
threshold voters adapted to continuous signals and delay voters adapted to 
boolean signals in order to cope with hybrid piece- wise continuous signals. One 
problem in performing this merge was that, while threshold voters are based on 
uniform continuity, delay voters are based on a more ad-hoc notion of uniform 
bounded variability. We show in the paper that the Skorokhod topology allows 
us to perform this merge in a more uniform and also more general manner. 

Moreover, this voting problem is clearly related to the more general sampling 
problem for hybrid systems and the results provided here may also help in defin- 
ing which hybrid systems can be accurately sampled. This can be a subject for 
future work. 

Yet, we also can notice that our results may not be the last word in the 
play. First, the relations with the tube distance of [6] have only been partially 
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explored. Moreover, our final result only shows some topological signal properties 
allowing voters to be designed. But the converse property that signals for which 
voters can be designed fulfil these properties has not been proved and is likely 
to be false. This leads us to think that there is perhaps an even more general 
“votability” property that remains to be defined. 
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Abstract. The paper discusses a constructive approach to the temporal logic 
specification and analysis of dependability requirements of automation systems. 
The work is based on TRIO formal method, which supports a declarative tem- 
poral logic language with a linear notion of time, and makes use of UML class 
diagrams to describe the automation system. The general concepts presented for 
the automation system domain are here instantiated on a case study application 
taken from the energy distribution field. 



1 Introduction 

The design of critical systems is faced with the need of devising appropriate “depend- 
ability strategies”, that is to say the need of choosing and specifying a set of steps that 
allow to improve the reliability of the system. In the project DepAuDE [6] 1 this issue 
has been investigated and a methodology to support the analyst in collecting and analyz- 
ing system dependability requirements, aimed at designing appropriate Fault Tolerance 
(FT) solutions, has been devised through a collaboration between the CESI 2 company 
and the University of Torino. 

The application domain for the methodology is that of distributed cyclic control 
systems, while the specific application considered in the case study presented here is 
related to the automation system for primary substations of electricity distribution net- 
work (called PSAS in the following), proposed by CESI within the DepAuDE project 
[5]. The PSAS provides the tele-control and protection functions of the Primary Sub- 
stations (PSs), where PSs are nodes of the electric distribution grid connecting the 
High Voltage transportation network to the Medium Voltage distribution. The aspects 
of PSAS that are relevant for this paper concern the cyclic behavior and the synchro- 
nization issues of the distributed automation systems local to the PS and they will be 
introduced, when needed, in Section 4. 

Three different formalisms collaborate in a synergic manner in the methodology: 
UML Class Diagrams [21 ] (CDs from now on), a static paradigm, TRIO [12] temporal 

* Partially funded by Italian Ministry of Productive activities - Rete 21 - SITAR project. 

1 EEC-IST-2000-25434 DepAuDE (Dependability for embedded Automation systems in Dy- 
namic Environment with intra-site and inter-site distribution aspects) project. 

2 CESI is an Italian company providing services and performing research activities for the Elec- 
tric Power System. 
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logic, and Stochastic Petri nets [19] (PN), an operational paradigm aimed at perfor- 
mance and dependability evaluation. A multi-formalism approach during the depend- 
ability process is also advocated by emerging standards like IEC 60300 [4], 

Class Diagrams are the “entry level” in the methodology that provides a set of pre- 
defined CDs for the automation system domain, called “the generic scheme”, and guide- 
lines on how to produce from it an instantiated one, that refers to the target application. 
Diagrams are meant as a support for the requirements collection and/or for structur- 
ing and/or reviewing for completeness already available requirements. In DepAuDE 
we have studied how the information available in the scheme can be used as a starting 
point for the modelling efforts with TRIO and SPN. The role of Stochastic Petri nets 
in the DepAuDE approach is to evaluate the reliability of the candidate dependability 
strategies [7, 1], while in this paper we discuss the role of TRIO and its links to the CDs. 

TRIO is a linear temporal logic that finds its origins in the nineties as a joint effort of 
Politecnico di Milano and ENEL as a formal declarative language for real-time systems. 
Since then several TRIO dialects and validation tools have been prototyped (e.g., [18], 
[10]) and used in several projects. We use Modular TRIO Language [3] and a tool set 
developed in the FAST project 3 , implemented over the Prover Kernel [9]. 

In DepAuDE TRIO has been used for specifying and analysing dependability re- 
quirements and fault tolerance strategies in a temporal logic framework. The choice of 
a declarative language, and in particular a logic formalism like TRIO, has been driven 
by the analysis methods followed at CESI, where TRIO is a common practise for sys- 
tem analysis of timed properties. Other choices are indeed possible, like that of using 
an operational formalism using extended State-charts, as proposed, for example in the 
embedded system field, in [14]: the advantages and disadvantages of operational versus 
declarative formalisms are well established, and we shall not discuss them here. 

The work on CDs and TRIO in DepAuDE takes its basis from the preliminary work 
in [1 1], in which the first ideas on the use of CD in the context of dependability analysis 
of automation systems and the possibilities of cooperation of TRIO specification with 
CD models were discussed. The work presented in this paper represents a step forward, 
by introducing a three steps incremental specification: the derivation of the TRIO spec- 
ification structure from the UML Class Diagrams, a first completion of the specification 
with domain dependent knowledge and the full formalisation with application depen- 
dent knowledge. Goal of this three steps procedure is to provide the user with a more 
structured approach to the construction of logic specifications, and to allow reuse of 
partial specifications. 

This paper describes the three steps and demonstrate their efficacy through the 
PSAS case study. Due to space constraints, the paper concentrates the analysis only 
on timing properties, while the complete case study can be found in [7]. 

The paper is structured as follows. Section 2 recalls the language TRIO and its 
analysis capability. Sect. 3 summarizes the CD scheme proposed in DepAuDE, Sect. 4 
introduces the three steps procedure and its application to the PSAS, while Sect. 5 
discuss the analysis methodology with examples from the PSAS. 



3 ESPRIT FAST Project No. 25581 (Integrating Formal Approaches to Specification, Test case 
generation and automatic design verification). 




38 



Simona Bernardi, Susanna Donatelli, and Giovanna Dondossola 



2 Basic TRIO Methodology 

A TRIO specification is structured into classes, and each class includes a declaration 
session followed by a formulae session. The declaration session defines the signature of 
TRIO items (atomic propositions, predicates, values and functions), which are grouped 
into Time Independent (TI) and Time Dependent (TD) items, and the types for the value 
domains of predicates, values and functions. 

TRIO formulae are expressed in a temporal logic language that supports a linear 
notion of discrete time. Beyond the propositional operators and, or, xor, implies, iff 
(&, |, 1 1, — <-» in TRIO syntax) and the quantifiers 3 ,V, /3 {all, ex, nex in TRIO), 
TRIO formulae can be composed using the primitive temporal operator Dist, and de- 
rived temporal operators. Dist allows to refer to events occurring in the future or in the 
past with respect to the current, implicit time instant. If F is a TRIO formula and 8 is a 
term of time type, then Dist(F, 8) is satisfied at the current time instant if and only if F 
holds at the instant laying 8 time units ahead (or behind if t is negative) the current one. 
Derived temporal operators can be defined from Dist through propositional composition 
and first order quantification on variables representing a time distance [3]. The intuitive 
semantic of the operators used in this paper is as follows: Alw(F) ( F is always true), 
AlwF(F) ( F will be always true in the future), AlwP(F) (F has been always true in the 
past), Becomes(F) (F is true now and it was false in the instant immediately preceding 
the current one), NextTime(F, 8) (F will become true exactly at 8 time and from now 
till that instant it will be false). TRIO is linear and time is implicit: all properties refer 
to a single execution observed at the current time. 

The formulae session may include: definitions , axioms, properties and Abstract Test 
Cases (ATC): they are all temporal logic formulae, but they play a different role in 
the analysis. Definitions are a macro-expansion mechanism, axioms express system re- 
quirements (the description of the system), properties express requirements that have 
to be derivable from the set of axioms (the system properties of interest), and ATC are 
formulae compatible with the axioms that are used to focus the analysis on relevant, 
more restricted, contexts (a particular behavior of the system). 

The TRIO tool supports automatic proof sessions based on three proof techniques: 
model generation, property proof, and test case generation. Model generation produces 
a set of temporal logic models (called TRIO histories) for the selected properties: a 
model is graphically represented by a set of up/down functions plotting the truth value 
of a Time Dependent (TD) proposition/predicate on the time line. Property proof com- 
putes the validity of a property. If the property is not valid then counter models are 
produced. Test case generation allows the automatic generation of a set of test cases 
according to a number of testing criteria. The analysis requires the setup of the “proof 
session” to specify the portion of the specification to be used for the proof, the choice 
of the proof technique, and the setting of the time interval considered. 



3 UML Class Diagrams for Automation Systems 

The DepAuDE “generic scheme” consists of a set of UML Class Diagrams (CDs) cap- 
turing generic issues considered relevant for a wide class of dependable automation 
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Fig. 1 . Hierarchical Structure of the packages. 



applications. From the generic scheme, an instantiation activity (described in [2]) al- 
lows to derive an instantiated CD scheme, that specifies a given application (system 
description and associated dependability requirements). 

The set of CDs are grouped into the hierarchical structure of UML packages rep- 
resented in Fig. 1, where each non-leaf package encapsulates a set of inner packages 
together with their dependency relationships, that indicates a suggested order of use. For 
each innermost package one or more CDs are provided that constitute different views 
on the system being described, focusing on aggregation, generalization/specialization, 
and class definition (associations and attributes) aspects of a portion of the system. In 
the scheme the class attributes are stereotyped to represent either parameters provided 
as input to the specifications or measures to be evaluated or upper/lower bounds to be 
validated. Let us now provide an overview of the scheme, following Fig. 1 . 

System Model addresses the system requirements. It specifies 1) the conceptual struc- 
ture of an automation system ; 2) the association of automation functions to system 
components; 3) the association of (real) time requirements to system components and/or 
functions; and, finally, 4) the association of dependability attributes to system compo- 
nents and/or functions. The CDs that are most relevant for the presented case study are 
the CD Structure in which the whole automated system is decomposed into automation 
sites connected by an automation communication infrastructure. An automation system 
residing on a given site is defined as an aggregation of automation components and of 
automation functions. An automation component may control directly a (set of) plant 
components through association control. The CD Constraints allows to identify those 
temporal attributes which are considered relevant for the specification of automation 
systems, such as cycle Jime that refers to the time required by the automation system 
to execute a complete cycle (i.e., read a sample input from the plant, elaborate to pro- 
duce the future state and provide output to the plant). The attribute cycle Jime is defined 
as a bound to be validated in the generic CD, and as a specific value (100ms) on the 
instantiated CD. 

Figure 2(C) shows a very small portion of the CD that describes the PSAS automa- 
tion system, made of three Automation Components and with two relevant attributes. 
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Fig. 2. View of the instantiated CD Strategy (A) FEF chain (B), and Strategy (C). 

Dynamic Environment Model. The package DE Model captures several concepts on 
the fault theory expressed in the literature [16], and its extension to malicious faults, as 
developed by the European MAFTIA project [24] and partially modified upon CESI ex- 
perience. It contains three sub-packages ( Fault Model, Error Model and Failure Model) 
each one characterizing a different view of a fault evolution, from its appearance to its 
recovery and/or repair. The CDs are connected so as to reflect the propagation effect 
linking faults to errors and errors to failures (FEF chain). 

Once customized on a specific application, the CD of the FEF chain shows which 
faults provoke which errors and which (set of) errors provoke a failure. The diagram also 
connects each type of fault, error and failure with the corresponding system components 
affected by it: a fault may affect an automation component (elaboration, memory or 
communication unit), and an error may affect an automation function performed by the 
faulty component. If a function is affected by an error, the error can be propagated to 
another function thus provoking an error in another function. If errors are not recovered 
in due time failures may appear. The FEF chain for the PSAS is given in Fig. 2(B). 
Strategy Model. This package concerns the representation of the dependability strat- 
egy. A dependability strategy is defined as an aggregation of (temporal) steps in which 
actions have to be undertaken in order to stop the fault evolution. The Dependability 
Step CD supports a classification of those steps and connects them to the fault, error, 
and failure elements addressed by the step. The PSAS strategy consists of three steps: 
an error detection followed by an attempt of error recovery and, eventually, a system 
reconfiguration: the correspondent CD is shown in Fig. 2(A). 

4 TRIO Scheme in DepAuDE 

The TRIO formalization is aimed at describing and analyzing the logic of a depend- 
ability strategy following the requirements collected and structured according to the 
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UML scheme. The analysis concerns the temporal evolution of an automation system 
integrating a dependability strategy. The TRIO specification is built incrementally, and 
each partial specification is validated by several proof sessions. 

In the DepAuDE Methodology the TRIO formalisation of dependability require- 
ments is an extension of their representation in UML Class Diagrams. The relation 
between UML class diagrams and TRIO forms is a partial one: only a subset of the 
UML class attributes and associations is related with elements of the TRIO scheme 
and, vice-versa, which is not surprising since the two formalisms play quite different 
roles in the development of a system. In particular, TRIO classes introduce new time 
relationships, which are not present in the correspondent CDs. 

The approach used to develop a TRIO specification is a three-steps procedure. The 
first step consists of deriving a basic TRIO specification structure, using a set of pre- 
defined actions that are applied using information from the instantiated UML scheme 
(Sect. 4.1). In the second step, domain specific knowledge is introduced leading to 
partially defined classes that include item declarations and formulae of general usage 
(Sect. 4.2). In the third step the specification is completed using application dependent 
knowledge and design level information (Sect. 4.3). 

4.1 Deriving the Skeleton of the TRIO Scheme from UML Class Diagrams 

As a starting point a number of syntactic links have been identified between CDs ele- 
ments and TRIO elements: 

LI Reuse of the structured organization into classes; 

L2 The objects instances of UML classes are mapped into TRIO types; 

L3 Class attributes are mapped into TRIO time (in)dependent items; 

L4 The value of a class attribute is mapped into a TRIO axiom, if the value is unique, 
or into a TRIO type, otherwise; 

L5 Associations are mapped into TRIO time (in)dependent predicates and axioms; 

L6 UML constraints are mapped into TRIO properties. 

Each first level package of the UML Dependability Scheme given in Fig. 1 maps to 
a TRIO class, leading to a TRIO Scheme with three classes: System, Dynamic Envi- 
ronment and Strategy. In this paper we only provide a partial derivation for the three 
classes: their full description can be found in [7], 

The construction of the classes is described through a set of numbered actions that 
we have defined following the information available in the generic scheme, and that can 
be applied by the modeller on the specific application using the information available in 
the instantiated scheme. In the following we present a few examples of actions (again 
the full set is in [7]), where the numbering respects the original one in [7], for ease of 
reference, and their application to the PSAS case. 

Derivation of the class System. Sys_Action 1: in the CD Structure the class Automation 
System is composed of a set of Automation Component Ci. This set is represented as 
the domain type Automation-Component Set which is an enumerative range identifying 
class objects (application of LI and L2). The type AutomationjComponentSet is then 
used to define predicates characterising the class Automation Component. 
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Sys_Action 2. The attribute cycle Jime of the UML class Automation System in the Class 
Diagram Structure is translated into the TRIO Time Independent (TI) value cycle Jime 
taking values over the type cycle-value (application of L3). The range of values of 
the UML cycle Jime attribute defines the type cycle -value (application of L4). Since a 
single value is also present for the UML attribute, then the axiom cycle Jime setting is 
introduced assigning that value to the item cycle Jime. Let us now apply the previous 
actions to the PSAS case, by considering the set of CDs customised over the PSAS 
application. 

Application of Sys_Aetion 1. According to the customised CD of Fig. 2(A) the PSAS 
system is composed of three Primary Substation Automation Components. Therefore 
the domain type PS -Automation-Component Set is introduced which ranges over three 
values: Nl, N2 and N3. 

Application of Sys_Action 2. According to the instantiated CD of Fig. 2(A) the PSAS 
cycle_time is set to 100 ms and the range from 60 to 100 ms. Therefore the domain 
type PS -cycle -value and the TI item cycle Jime are introduced, as well as the axiom cy- 
cle -time setting. Fig. 3 shows the partial specification of the class System for the PSAS 
obtained by applying all the actions. 



TRIO Specification Editor: PSAS_Scheme_from_UML 


File Commands Help 


[Save] 


Z3 PSAS_Scheme_from_UML 




Comp view Text view Comp & Text 


o C3 System 
Q visible 




class System 

temporal domain integer; 


* 


Q temporal domain 




types 




® C3 types 




PS Automation Component Set = {N1, N2, N3}; 




0 PS_Automation_Component_Set 




PS Automation Function Set = (LCL Command Parallel Transformer, LCL Control Power Resuminql; 




Q PS_Automation_Function_Set 




PS_cycle_value =60 .. 1 00; 




Q PS cycle value 




TI Items 


— 






values 








cycle_time : PS_cycle_value; 








predicates 








perform(PS Automation Component Set, PS Automation Function Set); 




Q functions 




communicate (PS Automation Component Set, PS Automation Component Set); 




Q propositions 




vrars 




® [3 predicates 




component : PS Automation Component Set; 




Hi perform(PS Automation Component 




function : PS_Autorration_Function_Set; 




£ 

1 

| 

8 

£ 

£ 

1 c 




componentl : PS_Autorration_Component_Set; 




o QTD Items 




component2 : PS_Automation_Component_Set; 




o Q modules 




functions of components : all component , function perform ( component , function ) ; 








cycle time setting : cycle time =100; 




Q definitions 




component interactions : all componentl , component2 ( communicate ( componentl , component2 ) & 




• n axioms 




communicate ( corrponent2 , componentl ) ) ; 




Q functions_of_ components 




end System 




Q cycle time setting 






▼ 


Q component interactions 




< 1 ► 




Q properties 




The specification was typechecked successfully. 




D ate 








o l~1 Dynamic Environment 








o □ Strategy 

< 









Fig. 3. Skeleton of the PSAS System class. 



Derivation of the class DE. For what concern the class DE, 9 actions have been defined 
to specify faults, errors, failures, propagation in the FEF chain and relationship with the 
affected system elements. As an example we present here only those relative to faults 
and to their propagation into errors. 
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DE_Action 1 and its application. Enumerative types should be introduced for speci- 
fying the possible types of faults, errors, and failure. The application of this action for 
faults, using the information from the Fault model in the PSAS instantiated CDs leads 
to the enumerative type PS -Fault -Categories = { perm-physical, temp -physical } . 
DE_Action 2, 3 and their application. These actions relate FEF elements to system el- 
ements, following the information of the affect CD association, and require to introduce 
three TI predicates with associated axioms to formalize the predicate. For faults the 
predicate is called fault .affect -component (Fault-Categories, Automation -Component- 
Set), and its application to the PSAS leads to the predicate fault Mffect .component 
(PS-Fault_Categories, PS-Automation_ComponentSet). Assuming componenti s a vari- 
able of 

PS-Automation-Component-Set type, the axiom is: 

fault_model: all component 

(fault_affect_component(perm_physical, component) & 
fault_affect_component(temp_physical, component)); 

DE_Action 7. The axiom error .causes is introduced: it traces back to the cause-effect 
association in the CD of the FEF chain. An error can be directly caused by a fault, or 
by the propagation of an error. The axiom states that, at a given instant, an error can 
affect function 1 performed by componenti if some t time units before a fault occurred 
(a fault of a type that can affect componenti), or if some t time units before an error 
occurred to a function2 of component2, and componenti and component2 communicate 
(thus allowing error propagation). 

error.causes: Alw(all componenti, functionl 

( Becomes(error(functionl, componenti)) — > 

(( perform(componentl, functionl) & 

ex fault.cat, t ( fault_affect_component(fault_cat,componentl) & 
Dist(Becomes(fault(fault_cat,componentl),-t))) 
ex component2, function2 (communicate(componentl,component2) & 
perform(component2,function2)) & 
ex t Dist(Becomes(error(function2, component2),-t)))))); 

Derivation of the class Strategy. The set of derivation actions for this class introduces 
a label for each dependability step in the strategy (error .recovery, error .detection, and 
fault-treatment), an axiom (cycle .number) setting the number of cycles needed to per- 
form the whole strategy, and the property performance establishing the duration of the 
strategy in terms of cycle-number. 



4.2 Completing the Skeleton with Domain Dependent Knowledge 

Once the modeller has derived the TRIO skeleton, the methodology proposes a number 
of completion actions, that provide a set of pre-defined predicates and axioms pertinent 
to the automation system domain. The modeller will then select the actions that he con- 
sider relevant for the application, leading to an enrichment of the partial specification 
produced in the previous step. Again, only a subset of the actual completion steps are 
shown here, the full description being in [7]. 
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Sys_Completionl. In a fault tolerant system, any Automation-Component Ci may be 
operational or not (that is to say it is included in the current configuration). The pred- 
icate included(C) is therefore introduced: it is a TD predicate since a given Automa- 
tion-Component may change its operational status over time. 

Sys_Completion2. The axiom cycle -boundary is introduced: it formalises which event 
determines the cyclic evolution of the distributed system. If the cycle is determined by 
the reception of a periodic_signal, the axiom is naturally expressed by the TRIO opera- 
tor NextTime(F,t), where F is the cycle signal, representing for instance the starting of 
a new cycle, and t is a term set equal to cycle-time: 

cycle_boundary: Alw(periodic_signal_received < > 

ex cycled: (cycled = cycledime & NextTime (periodic_signaldeceived, cycled)) ); 

Sys_Completion3. The (initial, normal, abnormal) behaviour of a distributed automa- 
tion system is based on message exchange protocols which are formalised by two enu- 
merative types Received-Messages and Sent-Messages and two TD predicates: mes- 
sage -received! Received -Messages, Automation-ComponentSet) and sendjnessage 
( Sent - Messages, Automation-ComponentSet). 

Sys_Completion4. The axiom label normal-behavior is introduced which formalises 
what the system should do in normal conditions. The actual definition of the axiom will 
be done at a later stage, when considering application dependent information. 

All the completion rules above are considered relevant for the PSAS case and the 
correspondent axioms and predicates are therefore inserted in the skeleton. This results 
in the (uncomplete) formalisation of the PSAS System class of Fig. 4. 

For the completion of the class DE we have chosen to show the definition of tem- 
porary fault, that is done in terms of an attribute of faults, called fault -duration. A fault 
is temporary if, given that it occurs at the current time, it will disappear before a time 
1 1 smaller than the fault duration parameter, and for all times 1 2 from the current time 
to tl the fault is active. In TRIO terms: 
temporary _faults_persistence: Alwfall component ( 

Becomes(fault(temp_physical, component)) — > 

( ex tl ( tl > 0 & tl < fault_duration(temp_physical) & 
Dist(Becomes(~fault(temp_physical, component)),tl) & 

all t2 (t2 > 0 & t2 < tl — » Dist(fault(temp_physical, component), t2)))))); 

For the completion of the class Strategy we consider the definition of the error- 
detection axiom stating that a component is faulty if there is a potential transient fault 
in the component, or a permanent fault has been detected. 

error.detection: Alw ( all component faulty(component) < > 

potential_transient_fault(component) | permanent_fault_detected(component)); 



4.3 Completing the Specification with Application Dependent Knowledge 

The last phase of the TRIO specification construction includes the full definition of ax- 
ioms introduced only as labels in the previous phase, so as to obtain a complete (or 
closed) TRIO formalisation, and possibly the addition of new axioms and properties 




Towards a Methodological Approach to Specification and Analysis 



45 



File Commands Help 
Save 

3 PSAS.Scheme.extensionl 
> □ System 
D visible 

0 temporal domain 
o Q types 
© C3TI Items 
© C3TD Items 
Q values 
Q functions 
® C3 propositions 

0 end_cold_restart 
Q operator_reset_signal 
0 fulLfunctionality 
Q degraded.functionality 
Q periodic_signal_received 
o □ predicates 
o Q modules 
o l~1 vars 
Q definitions 
© axioms 

Q functions_of_components 
Q component. interactions 
Q cycle_time_setting 
Q col d_restart_ termination 
Q operator. resetting 
Q full.functionality.mode 
Q normal. behavior 
Q cycle.boundary 
Q start. up. phase 
Q degraded.functionality.mode 
© [3 properties 

Q availability 
D ate 



Comp view Text view Comp & Text 



Axiom: | cycle_boundaty 



Alw (periodic_signal_received <-> 

ex cycle_t ( cycle_t = cyde_time & NextTime (periodic_signal_n 



i n cl uded (P S_Auto matio n_Co rrpo ne nt_Set) ; 

rressage_received(Received_messages 1 PS_Automation_Corrponent_Set)i 
se nd_message (Se n t_Messages , P S_Auto mation_Co rrpo ne nt_Set) ; 

corrponent : PS_Automation_Corrponent_Seti 
function : PS_Auto matio n_Function_Set; 
corrponentl : PS_Automation_Corrponent_Set; 
corrponent2 : PS_Automation_Corrponent_Set; 
t : distanceDomain; 
cycle_t : PS_cycle_value; 
axioms 

functions_of_corrponents : all corrponent , function perform ( corrponent , function ) ; 
cycle_tirre_setting : cyde.time = 5 | 

co ld_restart_termi nation : Alw ( Becomes (end_cold_restart) -> Dist ( Becomes ( ~end_cold_restart) , 1 )) ; 
f u I l_f u n ctio na I ity_rrode : AlwF (full_functionality<->all component included (component)) ; 
normal_behavior : true ; 
start_up_phase : true ; 

co rrpo nent_inte radio ns : all corrponentl , corrponent2 ( communicate ( component! , component2 ) & 
communicate ( corrponent2 , componentl ) ) ; 
opera to presetting : Alw ( Dist ( operator_reset_signal & end_cold_nestart , - 1 ) <-> 

( Becomes ( ~operator_reset_signal ) )) ; 
cycle_boundary : Alw (periodic_signal_received <-> 

ex cyde_t ( cycle_t = cycle_time & NextTime (periodic_signal_received , cycle.t) ) ) j 
degraded_fundionality_mode : AlwF (degraded_fundionality<-> 

ex corrponentl included ( componentl ) &ex component2 ~ included ( component2 ) ) ; 

properties 

a\ailability : AlwF (full_fundionality || degraded_fundionality ) | 
end Svste.m 



Ml 



| The node was modified successfully. 
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Fig. 4. Completion of the PSAS system class. 



which are application-specific. Observe that in the first step we have already used ap- 
plication dependent information, but it was information readily available in the instan- 
tiated CD scheme (for example the types of faults and components), while in this final 
step also design level information is needed. As an example consider the following: 

(Re)application of Sys_Action2. The application of this action in step one led to the 
assignment of 100 time units to the TRIO item cycle -time (see Fig. 3). Considering that 
the corresponding attribute of the CD has an assigned value of 100ms, a choice of 100 
is indeed correct, but it is definitely not the most convenient one from a computational 
point of view. In TRIO, as in all temporal logic, it is wise to choose the coarsest possible 
granularity for time. By considering all the events that involve the item cycle Jime in 
the design, a choice of 20ms per time unit has been considered appropriate, resulting in 
an assignment of 5 time units to the item, through the axiom cycle Jime setting. 

(Re)application of Completion2. The definition of axiom cycle boundary is modified, 
based on a proposition synclisignaLreceived, that represents the external synchronisa- 
tion signal received by a task coordinating the activities of the PS Components : 

cycle.boundary: Alw (synch_signal_received < — > 

ex cycled: (cycled = cycledime & NextTime (synch.signaldeceived, cycled)) ); 

(Re)application of Completion4. The normal behaviour of the PSAS is described in 
terms of a message exchange protocol assuring its correct and consistent evolution. On 
reception of each synch signal the PSAS component with the master role must receive 
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TRIO Specification Editor: PSAS_Scheme_DSN04 



File Commands Help 



13 PSAS_Scheme_DSN04 
© [3 System 
0 visible 

D temporal domain 
o C3 types 
o [3 Tl Items 
o C3TD Items 
o C3 modules 
o [3 vars 
Q definitions 
® C3 axioms 

Q functions_of_ components 
Q component interactions 
Q cycle_time_setting 
Q col d_restart_termi nation 
Q operator.resetting 
Q normal. behavior 
Q cycle.boundary 
Q prova 

Q start. up. phase 
Q properties 
o C3atc 

o l~1 Dynamic. Environment 
O C3 Strategy 



Comp view Text view j Comp & Text 



Axiom: [normal_behavior 



(synch_signal_received &ex cycle_t ( NextTime ( syn ch_s ig na l_re ce ived , cycle_t) & 
all component ( included ( component) <-> ex t (t > ( cycle_t - cycle_time ) &t< cycle_t& 

Dist ( message_nsceived ( end_cycle_OK , component ) , t ) ) ) ) ) <-> 

( syn ch_signal_rece ived & ex cycle_t ( NextTime ( syn ch_signal_rece ived , cycle_t ) & 

Dist ((all component ( included ( component) <->send_rressage ( release_ou1puts , component) )& 

Dist (all component ( included ( component) <-> message_received ( released_outputs_OK , component) ) <-> 
all component ( included ( component) <->send_message (perform_cycle , component)) , 

1 )). 

cycle.t)))) 
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The specification was type checked successfully. 
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Fig. 5. Formalization of the normal behavior protocol. 



an end -cycle JJK message from each slave component at a time t which is within a cy- 
cle time (Dist(message_ received(end_ cycle. OK, component), t)). If the endjzycleJOK 
message is received by each component, then the master component performs a con- 
fmnjcycle procedure. The confirmation of the last elaborated cycle consists of send- 
ing the orders of release_oiitpitts and performjcycle to all the slave Automation Com- 
ponents. As formalised in Fig. 5 the order of starting elaboration on a new cycle is 
sent if and only if each component confirms the correct emission of its output via re- 
leased^outputs.OK messages within 20 ms (i.e., at Dist equal to 1 time unit). 



5 How to Analyze the TRIO Specification 

In the previous section we have shown how the logic specification of an application 
in the automation domain field can be produced re-using the information present in a 
Class Diagram description of the application, selecting a number of predicates and ax- 
ioms among a set of predefined ones, and completing the specification with application 
dependent knowledge made available by the system designers. 

Although the construction of a specification is a relevant step in the definition of 
a dependable automation system, it is also very important to be able to analyze the 
specification: in TRIO this is realized through model generation and property proof. In 
this section we show a few examples of model generation. Model generation produces 
a timed diagram in which the truth values of the selected predicates are plotted against 
time, and can be considered as an abstract trace of the system execution, concentrating 
on the predicates of interest, while property proof amount to proving that a property is 
valid (that is to say, true for any model) for a given temporal window. 
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In order to perform the analysis of the PSAS behaviour the TRIO models consistent 
with the specification may be generated automatically by setting up proof sessions in 
which a subset of axioms, properties and ATC is selected. 

For what concerns the class System we consider an example on analysis of the nor- 
mal behaviour of the PSAS (showing its intended functionality in a fault-free setting), 
specified by the the axiom normal-behavior of Fig. 5, and we ask TRIO to generate all 
models that represents an execution compatible with the axiom normal-behavior. This 
may lead to too many models: to concentrate on the most interesting ones it is neces- 
sary to restrict the focus of the analysis, using Abstract Test Cases. ATCs may be both 
domain dependent and application dependent. For normal behaviour model generation 
we concentrate on an initial state characterized by all components being operational, at 
the instant of time in which the synchronization signal is received (ATC 1), we consider 
only configurations that are stable (ATC 2) and in a scenario in which all messages are 
received normally (ATC 3). 

(ATC 1) normal-initialisation : sets the initial truth-values of system primary attributes, 
including system configuration (predicates included). The PSAS initialisation estab- 
lishes that: before the evaluation instant no PS Automation Components is included and 
the synchronization signal is false and that at the evaluation instant all the PS Automa- 
tion Components are included and synchronization signal becomes true, 
normal .initialisation: 

AlwP(all components ~included(components) & ~synch_signal_received ) & 
all components included (components) & synch_signal_received ; 

(ATC 2) stable -configuration', it is used to restrict the analysis to models in which the 
components of the system, once included, will not be removed: 
stable_configuration: all components 

(included(components) — > AlwF (included(components))); 

(ATC 3) normal scenario: it focuses the generation process only on cases in which each 
component sends the expected messages in due time, and it chooses a specific timing 
for message reception. An example temporally confined to the first cycle is given by the 
following ATC in which all the endjcyclejOK messages are received at time 4 and all 
the released joutput-OK messages at time 6: 
normal-scenario : all components 
(included! components ) < * 

(Dist(message_received(end_cycle_OK, components), 4) & 

Dist ( message-received ( released_outputs_OK , components ) , 6 ) & 

all t ( t <> 4 < — > Dist ( ~message_received ( end_cycle_OK , components ) , t )) & 

all t ( t <> 6 < > Dist ( ~ message-received ( released_outputs_OK , components ) , t )))) ; 

The set-up of the model generation for the normal behaviour case is done through 
the TRIO graphical interface. Three axioms have been selected: normal-behavior as 
expected, and cycle -time setting and cycle -boundary that define the notion of cycle, and 
whose definition is given in Fig. 4. The three ATCs defined above are selected, so that 
only models compatible with the three axioms and the three ATCs will be generated. 

At this point the TRIO tool asks for the temporal window of reference of the proof: 
obviously the larger the window, the more expensive is the analysis. Since with this 
proof we want to observe the normal behaviour of the system, and since the whole 
system behaviour is defined in term of cycles, it is a natural choice to choose a temporal 
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domain size that is a multiple n of cycle Jime (that is set to a cycle -value equal to 5 
for the PSAS). For this proof a value of n = 2 has been chosen, leading to a temporal 
window of 10 time units, that allows to check the behaviour of the system upon the 
reception of two successive synchronization signal. In general the value of n should 
be the minimal number of cycles needed to check a certain behaviour, for example 
when checking a complex dependability strategy the value of n could be given by the 
system requirements (recovery has to terminate in within k cycle), and we can use model 
generation to check that this requirement is indeed met. 

The model generation of TRIO produces then an execution depicted in Fig. 6: the 
simulation window shows the truth values over the timeline of the time dependent items 
of the proof that the modeller has selected for visualization. The model that has been 
generated corresponds to a “normaLbehavior” execution in which each included com- 
ponent has sent an endljzycleJOK message, the order released -output has been sent to 
each component, the acknowledge has been received in 20 ms (one time unit) and finally 
the order to perform the next cycle has been sent to all components. 



Simulation viewer: 
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Fig. 6. The generated model for the normaLbehavior proof. 



The TRIO formalisation of the class Dynamic Environment allows to study the effect 
of faults on a system in which a dependability strategy has been deployed, while the 
analysis of this class together with the class Strategy allows to study the effectiveness 
of the dependability strategy in limiting the damage due to faults. 
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As an example we consider the case in which PSAS faults are considered (axiom 
fault jnodel), there is a full communication structure among components (axiom com- 
ponent .interaction defined in Fig. 4) each component can perform any function (axiom 
functions jof -components defined in Fig. 4), and the relationship between faults and er- 
rors is set according to axiom error -causes (defined in the previous section as a result 
of DE_Action7). Since we want to study the effect of faults we concentrate the focus of 
this first proof on executions that experience a single fault. The model produced (whose 
window is not shown here for space reasons) depicts a behaviour in which a single fault 
propagates to all components, and therefore to all functionalities so that the system is 
not able to deliver the expected service. 

The analysis of this class allows therefore to make explicit the global effect of a 
chain of local actions (as expressed by the communicate, perform, and cause-effect 
associations that were already present on the UML CDs and that have been translated 
into TRIO predicates and axioms) under different fault occurence settings. 



6 Conclusions 

In this paper we have presented, with the help of a case study, a support to the specifi- 
cation and analysis of dependable automation systems which makes use of UML class 
diagrams and of the declarative temporal logic TRIO. In the context of formal analysis 
tools the peculiarity of TRIO lays on the possibility of analysing temporal scenarios 
underlying the specification in a uniform framework which makes use of the same lan- 
guage for both specifying and querying the system. The TRIO tool may be classified as 
a temporal theorem prover, like PVS is for higher order logics. 

The combined use of UML with formal methods in the functional specification and 
analysis of software systems has received a great attention by the research community, 
with the goal of giving a formal semantics to the UML diagrams, usually through trans- 
lation into another formal language (there is a very large body of literature on the topic, 
see for example the work of the Precise UML group [23]). 

In this paper we do not propose a translation, but a pre-defined set of temporal logic 
specifications that have been associated to a pre-defined description of an automation 
system through a set of UML Class Diagrams. The proposed approach is meant to pro- 
vide requirement reuse, a topic that, following the work on patterns [8] for design reuse, 
is gaining increasing interest: in [14] UML based patterns (mainly CD and Statecharts) 
are defined for embedded system requirements, and the work is extended in [15] to 
include properties specified in the linear temporal login LTL of SPIN [13]. 

The novelty of our contribution is in identifying a three-steps approach in which the 
costruction of the formal specification follows partially a derivative style, and partially 
a selective style. It is assumed that the analysist still needs to play an important decision 
role in the analysis, whilst the tool provides him with a methodological support. 

The specification support provided here is three steps: the TRIO class structure and 
a number of initial TRIO items and types are (manually) derived from a UML CD de- 
scription of the system; this partial specification is then augmented in a second step 
with a number of domain dependent information; while in the third step the specifi- 
cation is completed using application dependent knowledge. The role of the modeller 
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increases in the three steps: in the first one he only has to apply the predefined actions 
by extracting information from the instantiated CD diagrams, in the second step he will 
have to select the subset of predicates and axioms that are considered relevant for the 
application, while in the third step he has to apply his expertise to define all axioms and 
additional predicates needed to complete the specification. 

Writing TRIO formulae requires indeed a certain skill. To make the use of TRIO 
transparent to the user the work in [17] proposes the automatic generation of TRIO for- 
mulae from annotated UML Statecharts (in the context of real-time systems): this result 
could be integrated in our approach, especially when the modeller is fluent in UML 
Statecharts, so that certain parts of the specification can be automatically produced. 

The paper also provides a (limited) support to the formal analysis, an activity which 
requires skill not only to define the system, but also to drive the proof sessions to avoid 
an explosion of complexity. The methodological lines presented in the paper represents 
a preliminary result: a support to the identification and definition of ATC, and to the 
definition of the appropriate temporal window for the analysis is an interesting topic 
for future research. In particular it is still to be investigated to which extent the “guided 
approach to specification” described in this paper can be coupled with a “guided ap- 
proach to analysis”. In the paper we have presented examples of analysis: analysis of a 
logic specification is an incremental activity, and the space limitations allows only the 
exemplification of limited steps of the analysis activity. 

The methodological approach has been exemplified on a case study taken from con- 
trol systems of electric distribution network. However, it seems reasonable to consider 
the proposed three steps methods applicable also to other applications in the automation 
system domain, given the generality of the closed loop execution model considered. 

Finally, the TRIO specification has been built starting from an ad-hoc description of 
the dependability aspects of an automation systems. Following the work on the UML 
profiler for Performance and Schedulability [20] it is likely that an extension to include 
dependability aspects will be made available in the near future [22]: it will then be 
necessary to adapt the proposed CD scheme to the new standard. 
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Abstract. We give a general formulation of approximate model- 
checking, in which both under- and over-approximations are propagated 
to give two-sided approximations of the denotation set of an arbitrar- 
ily complex formula. As our specification language, we use the modal 
p- calculus, since it subsumes standard linear and branching temporal 
logics over transition systems like LTL, CTL and CTL*. We give a 
general construction of a topological finite approximation scheme for a 
Kripke model from a state-space discretization via an A/D-map and its 
induced finite topology. We further show that under natural coherence 
conditions, any finite approximation scheme can be refined by a topolog- 
ical one. 



1 Introduction 

It is now well established that exact symbolic model-checking of modal and/or 
temporal logic formulas in transition system models of hybrid and real-time 
systems is not computationally possible (recursively solvable) except when re- 
stricted to some tightly constrained sub-classes of systems. Given these limita- 
tions on exactness, a good deal of current research in formal methods for hybrid 
and real-time systems is devoted to developing algorithms for approximations 
of various backwards and forwards reachability operators on sets arising from 
differential inclusions and equations. Such approximations are typically based on 

* Research support from Aust. Research Council, Grants DP0208553, LX0242359. We 
thank Bryn Humberstone at Univ. of Melbourne for many valuable discussions. 
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a discretization of the state space by a finite partition or cover, e.g. consisting of 
a regular array of rectangular boxes, or of convex polyhedra or ellipsoids. Recent 
contributions focus attention on application relevant classes of reachability rela- 
tions and include algorithms for the efficient computation of over-approximations 
of sets of reachable states [1-3,8, 10]. 

For example, in seeking to verify a safety property of a hybrid system model, 
such as expressed by “ From given initial conditions, the system never reaches a 
danger state” , one can use an over- approximation of the true reach-set and its 
disjointness from the danger states to conclude “ definitely YES” to the verifica- 
tion question. Now suppose instead that one is asking control questions, such as 
“ From which set of states can the system be steered to reach a given target region, 
and up until then, always remain within designated safe states ?” Here, a guaran- 
teed under-approximation of this backwards reachability set will let us identify 
a set of states of which we can answer “ definitely YES” to this controllability 
question, with respect to the particular dynamics of the steered system. 

In this paper, we address the task of giving two-sided approximate evaluations 
of the denotation set [v 3 ]^ C X of a logic formula ip, where is the set of 

all states of a Kripke model A4 at which ip is satisfied - with A4 = (X,R,v), 
X the state space, R C X x X the transition relation, and v : P — > 2 X a 
valuation of atomic propositions p £ P as subsets of X. We consider the general 
problem of constructing maps Un M and Ov M which, when applied to a formula 
ip, return explicit computable descriptions of subsets of X with the property 
that Un M (ip) C I^J^ 1 C Ov M (<p). As our specification language, we take the 
modal p- calculus, since all the standard linear and branching temporal logics 
interpreted over transition systems (LTL, and CTL and CTL*, respectively) 
are subsumed by the //-calculus. We actually work with the tense logic extension, 
with modal operators for both the one-step future and past along the transition 
relation, as both constructs naturally rise in control and verification problems. 

Building on the foundations of Cousot and Cousot’s abstract interpretation 
[5] , questions of approximation and abstraction for model-checking of large but 
finite state systems have been addressed by Grumberg and colleagues in [4, 6, 12]. 
In the recent [12], they develop a framework for abstraction using three- valued 
semantics, working say with T := {yes, no, indf} (the latter abbreviating “ indefi- 
nite ”); working over bi-relational “must-may” Kripke models A4, they give a dis- 
joint pair of affirmation and refutation denotation sets |^]^ s C X and [<p]^ Q 
X such that [</>]£. n = 0, and take [</>]N df = X - U |p]£). 

As we discuss below, the basic framework in [12] gives rise to a particular solu- 
tion to our problem of two-sided approximate model-checking: given a standard 
Kripke model A4 that is abstracted under a suitable mixed simulation relation 
by a bi-relational “must-may” Kripke model TV", an under-approximation set 
Un M (ip ) can be obtained from and an over-approximation set Ov M (ip ) 

can be obtained from the set-complement of [v 3 ]™- The main results in [4, 6, 12] 
all assume that one has available an explicit first-order description of the true 
transition relation R on the concrete model A4 , with exact point- wise knowledge 
of R. While these are reasonable assumptions for the very large but still finite 
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state systems considered in these papers, they are quite restrictive in the setting 
of hybrid and real-time systems. 

Technically, we develop a simple set-theoretic notion of a finite approxima- 
tion scheme (f.a.s.) for /./-calculus formulas interpreted in a Kripke model, and 
establish the naturalness of our notion by showing that a model has a maximally 
refined f.a.s. if and only if it has a finite bisimulation quotient. We then give a 
general construction of an f.a.s. for a Kripke model from the topology generated 
from a finite cover or discretization of the state space under an A/D-map. In con- 
trast to [4, 6, 12], we do not assume exact point- wise knowledge of the concrete 
transition relation R in order to construct approximations of the modal/tense 
operators; instead, we make do with a weaker assumption of having under- and 
over-approximations of the .^-reachability (post-image) operator applied to the 
cells of the A/D map, which fits much better with current algorithms for ap- 
proximating sets of reachable states in papers such as [1-3, 10]. We conclude the 
paper by proving a comprehensiveness result that every f.a.s. satisfying natural 
coherence conditions can be refined to give a topological f.a.s.. 

Structure of paper: Section 2 contains preliminaries from mathematics and 
logic. In Section 3, we formulate a general notion of a finite approximation 
scheme, and of refinements of schemes. Section 4 gives the basics of covers, 
A/D maps, and their Alexandroff topologies. The main results are in Section 5, 
and Section 6 gives a brief summary and discussion. 

2 Preliminaries 

2.1 Mathematical Preliminaries 

We write r : X Y to mean both that r : X — > 2} is a set-valued map , with 

(possibly empty) set- values r(x) C Y for each x G X, and equivalently, that 

r C X x Y is a relation. (Total and single-valued) functions r : X — > Y are 
a special case of set- valued maps. We write r~ l : Y ^ X for the relational 
inverse/converse; dom(r) := {x G X \ r(x) yf 0} and ran(r) := dom(r ~ 1 ). 

For maps rq : X Y and r 2 : Y Z, we write their relational composition as 

ri*r 2 : X ^ Z given by (ri*r 2 )(x) := {z € Z \ (By G Y) [y G n(x) AzG r 2 (y)]}, 
in sequential left-to-right application order. 

A relation r : X ^ Y determines two pre-image operators (predicate trans- 
formers): the existential pre-image function r -3 : 2 5 — > 2 X and the set-theoretic 
dual universal pre-image r -V : 2 Y — > 2 X . Formally, 

r~ 3 (W) := {x G X | W D r(x) yf 0} 

r~ Y (W) := X - r- 3 (F -W) = {x G X \ r(x) C W} 

for W C Y . The corresponding adjoint pair of post-image operators r v , r 3 : 2 X —> 
2 5 are given by r v := (^ _1 )~ V and r 3 := (r^ 1 ) -3 , respectively. The adjoint 
relationships are: r~ 3 (W) C V iff W C r v (V ) and r 3 (K) C W iff V C r -V (W), 
for all V C A and W C Y. 

Recall that a topology T C 2 X on a set A is a family of subsets of X that 
is closed under arbitrary unions and finite intersections. So T is a distributive 
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lattice of sets. The interior operator int T : 2 X — » 2 X determined by T is given 
by int T (W) := (J{f7 G T | U C W}. Sets W £ T are called open w.r.t. T, and 
this is so iff W = int T (W). A sub-family of open sets B CT constitutes a basis 
for the topology T on X if every open set W £ T is a union of basic opens 
in B, and for every x £ X and every pair of basic opens C7 1 , t /2 £ B such that 
x £ Ui n C/ 2 , there exists C /3 £ B such that x £ C /3 C {U\ 0 C/ 2 ). 

A topology T on X is called Alexandroff if for every x £ X, there is a smallest 
open set U £ T such that x £ U . In particular, every finite topology (i.e. only 
finitely many open sets) is Alexandroff. There is a one-to-one correspondence 
between pre-orders on X and Alexandroff topologies on X. Any pre-order =<; 
on X induces an Alexandroff topology 7^ by taking intr 4 {W) := (=^) _V (FF), 
which means U £ T^ iff U is upwards- ^-closed, and V is closed in T<; iff V is 
downwards-=^-closed, and clr^iW) = (^)~ 3 (FF). Conversely, for any topology, 
define a pre-order =4 T on X, known as the specialisation pre-order: x =<: r y iff 
(VC/ £ T) [x £ U => y £ U\. For any pre-order, = =4, and for any topology, 
T^ t = T iff T is Alexandroff. 

Given two topological spaces (X,T) and (Y,5), a relation R : X Y is 
called: lower semi-continuous (l.s.c.) if for every 5-open set U in Y, P~ 3 ({/) 
is T-open in X ; upper semi- continuous (u.s.c.) if for every 5-open set U in Y, 
P _v (f7) is T-open in X; and continuous if it is both l.s.c. and u.s.c. [9]. 

2.2 Logic Preliminaries: Syntax 

Fix a finite set P of atomic propositions, and let Var be a countable set of propo- 
sitional variables. Let T^(P) be the //-calculus (fixed-point) language generated 
by the grammar: 

<P ::= p | 2 j JL I T | ^ip | ipi V <p 2 \ <Pi A <p 2 I | I l^z.^ 

where p £ P, z £ Var, and a least fixed-point formula pz.y is well-formed only 
when every occurrence of the variable z within occurs within the scope of an 
even number of negations. A formula ip is a sentence of the language T))(P) if 
every occurrence of a propositional variable in <p is bound by (within the scope 
of) a fixed-point operator p: let £j)(P) denote the set of all such sentences. 

The superscript 4 indicates our use of tense logic, with the temporally dual 
future and past modal diamond operators <S> and ^ operators, respectively, and 
their negation-dual box operators := and := -,^-i ip. A formula 

< 8 ><^ is read “At some state in the future, tp will hold” , while is read “At 
some state in the past, <p has held” . 

For formulas and propositions p £ P, we write ip\p := ip] to 

mean the formula resulting from the simultaneous substitution of ip for each 
occurrence of p in ip. Likewise, for propositional variables z £ Var, we write 
tp\z := ip] to mean the formula resulting from the simultaneous substitution of 
ip for each occurrence of z in tp that is not bound by a p, and with preliminary 
renaming of any occurrences of z in ip that are bound by a p. The p operator is 
a least fixed-point constructor, and its dual greatest fixed-point constructor v is 
defined by vz.tp := ->pz.-np[z ~>z]. 
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2.3 Logic Preliminaries: Semantics 

A Kripke model for the language Pj)(P) is a structure Ad = (A, P, v), where A 
is any non-empty set, R : X X is a binary relation, and v : P ^ X is a set- 
valued map (atomic valuation). A variable assignment in Ad is a set- valued map 
£ : Var ^ X. A model Ad and a variable assignment £ together determine the 
(classical, two- valued) denotation map [• : P^(P) ^ X 1 defined by induction 

on formulas: 



blf 
[ : ir 

bi v 
l«b]f 



= v(p) 

= 0 
= 

= bi]fu|^ 2 ]f 

= r- b m?) 

in** ir --r\{W€2 x 



blf “ £(*) 

[T]f := A 

biA^ 2 ]f := [pijf n [^ 2 ]f 
l+H? := P 3 ([Mf) 



where £\z/W\ is the assignment that is the same as £ except for assigning 
the set W to the variable z. For sentences ip £ C} (P), the denotation set is 
independent of the variable assignment: = lb]£) for any two assign- 

ments £ 1,^2 : Var ~> A. Thus a model determines a (sentence) denotation 
map J-]^ 4 : £j,(P) ^ A by := for any assignment £. A sentence 

<p £ £^(P) is true (respectively, satisfiable ) in a model = X (respec- 

tively, \p} M ^ 0). 

Let Ad = (A, R , v) and M = (Z, S, u) be two Kripke models for the tense 
language P^(P). A relation h : X Z constitutes a simulation (respectively, 
tense simulation) of model Ad by model N if: 

— the set inclusion hr(v(p)) C u(p) holds for each p £ P, and 

— the relational inclusion (h~ 1 *R) C (S*/i _1 ) holds (respectively, the relational 

inclusion (P • h) C (A • S) also holds). 

A relation h : A ^ Z is a bisimulation (respectively, tense bisimulation) between 
models Ad and J\f if h . : X Z is a simulation (respectively, tense simulation) 
of Ad by J\f , and additionally h~ x : Z ^ X is a simulation (respectively, tense 
simulation) of J\f by Ad. In particular, for a single model Ad = (A ,R,v), if h 
is an equivalence relation on A, then h is a tense bisimulation between Ad and 
itself iff for each equivalence class V of h, both P~ 3 (P) and P 3 (V) are (possibly 
empty) unions of A-equivalence classes, and for each atomic p £ P, the set v(p) 
is a (possibly empty) union of /i-equi valence classes. 



2.4 Logic Preliminaries: Three- Valued Semantics 

Let T := {yes, no, indf} denote a set of three values, with partial order < defined 
by indf < oj and u> < u> for all u> £ T. A three-valued must-may Kripke model (in 
[7, 12], a Kripke modal transition system or KMTS) for the language P^(P) is a 
structure Ad = (A, P mus t, Pmay, v yes ,v no ), where A is any non-empty set, P mU st 
and P may are two binary relations on A with P mus t C P may , and v yes , v no : 
P A are atomic valuations such that v yes (p) n v no (p) = 0. A (standard) 
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Kipke model Ad = (. A , R , v) can be viewed as a three- valued must-may Kripke 
model in which R = R must = R may and v(p) = v yes (p) = A - v no (p). A 
three- valued Kripke model Ad naturally determines two standard Kripke models 
. — (A, -R mus t, Vy es ) where v un (pj . — v yes (p), and .VI ov . — (A. /t m ay- v ov ^ 
where v ov (p) := A — v no (p) , for all atomic p £ P. 

Extending [12], §2.2, a three- valued must-may Kripke model Ad determines 
three sentence denotation maps [-C : £}XP) A, one for each of the three 
values w £ T, defined by induction on sentences: 



HP lyes 


— Vyes {p) 


[Pino 


= ®no (jp) 


[-L1&. 


= I T Ino := 0 


[T]^ es 


= [1C := A 


II~d^ s 


= ICo 


I^C 


= Ivlyes 


[ £1 V 992 l yes 


= [ £1 lyes U I P2 ]£» 


Id v MZ 


= [£llnoC[£2]no 


I £1 A 992 ]£l s 


= [ £l lyes n | P2 ]y es 


Id A 99 2 Co 


= dlnoUdlno 
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= A- V ay(CCo) 


[♦*]£■ 


= ^must (l[ £ lyes) 


[*¥>]]& 


= <ay(CCo) 


lh Z -Plyes 


= Ua<^ ^ (A) 




= ru<™ ^ (A) 



and I £ 1 m d f : = A - ( [ 99 ] tt £ 1 no ) for all sentences p £ (P) . For the fixed- 

point constructor, one appeals as in [12] to the alternative iterative formulation 
of the Tarski fixed-point theorem for monotone operators on a complete lattice. 
The iteration bound r) M is the ordinal of the cardinality of 2 A ; the affirming 
iteration sets ffA A ) are defined by W ^ := 0, and := (J A<r) for limit 
ordinals p < rj M , and for successor ordinals, HA A+1 ) := where £ is any 

variable assignment such that £(z) = IK A) (^ is the sole free variable in p). The 
refuting iteration sets y( A ) are defined by V (°) := A, and V A) := P| A<I; f° r 
limit ordinals < p M , and for successor ordinals, lA A+1 ) := (!^lno)j> wh ere £ 
is any assignment such that £(z) = VA) anc j := -xp[z := -> z}. 

Let Ad — ( A, d? mus t , 7? ma y , "Cyes , ^no ) and J\f — (Z. A'amst, ^muy, o yos . // n oj be 
three-valued must-may Kripke models. A relation h : X Z is a mixed simula- 
tion (respectively, mixed tense simulation ) of model Ad by model A f, or model 
M is a three-valued abstraction of Ad under h [7, 12] if: (a) h : X Z is a sim- 
ulation (respectively, tense simulation) of Ad ou by M ov ; and (b) h~ l : Z A 
is a simulation (respectively, tense simulation) of A f un by Ad un . In particular, if 
Ad = (A", R, v) is a standard Kripke model, and J\f is a three- valued abstraction 
of Ad under mixed tense simulation h : X Z, then for each p £ P, we have 
the two-sided approximation inclusions h~^(u yes (p) C v(p) C h~^(Z — v no (p ) ) 
for the atomic denotation sets v(p) in the concrete model Ad. Consequently, it 
follows by induction on sentences that if Af is a finite three-valued abstraction 
of Ad under h, then for all /r-calculus sentences p £ £^(P), we have: 



^Myes) Q Ip}" C h~\Z-lpl* 0 ) 



(1) 
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3 Finite Approximation Schemes for Model-Checking 

We begin by developing a generic notion of a scheme for approximate evaluation 
of which makes central the task of fulfilling the two-sided approximation 

inclusions. 

Definition 1. [Schemes for approximate model-checking] 

Given a Kripke model M = (X,R,v) for the language iF*(P) generated from a 
finite set P of atomic propositions, a finite approximation scheme (f.a.s.) for A4 
over P is a pair of structures £ = (£ l m ,£ ov ) with £ un = (A U n,un, k un ) and 
£ ov = (A ov , ov, k ov ), where A un and A ov are non-empty finite sets, and the 
functions un : £^(P) — * A un and k un : A un — > 2 X , and ov : £^(P) — > A ov and 
k ov : Aov —■ * 2 A , are such that for all sentences ip £ £^(P): 

k un (un(tp)) C [ (pj M C k ov (ov(tp)) (2) 

The following diagram indicates the types of the maps (but it is not a commu- 
tative diagram): 




The idea is that elements a £ A un or a £ A ov are abstract or symbolic rep- 
resentatives for state sets W C X , and the concretization maps k un : A un — > 2 A 
and k ov : A ov —> 2 A realize or decode the abstract representation. The proposi- 
tional and modal operators on sentences should be semantically interpreted via 
un and ov by functions on the finite sets A un or A ov ■ More specifically, these 
functions should constitute the semantics of computer programs implementing 
specific approximation algorithms for the various operators/functions on 2 X : 
the Boolean set-theoretic operations and the relational pre-/post-image opera- 
tors : 2 a — > 2 X , and the least fixed points of C-monotone operators 

F : 2 X — > 2 a built up from them. 

Note that, as for the work on abstraction via three- valued must-may models 
in [7, 12], our two-sided approach of giving both under- and over-approximation 
values does provide substantial information about the unknown or unknowable 
denotation set When we have values for both k ov ( ov (^)) and k un (un(<^)) 

from an f.a.s. £, then we know the true set [ ip ] M lies somewhere in between, and 
the set difference k ov (ov(<^)) — k un (un(jj)) is the set of all states in X at which 
the sentence <p does not have a determinate truth value under £ . In contrast, 
if one has only a one-sided approximation scheme returning values Over{\p\ M ) 
and satisfying the single inclusion C Over(\p\ M ), then one has no further 

knowledge of accuracy when, prima facie, the exact set is not known. 

Clearly, there are better and worse approximation schemes, where the natural 
notion of “better” for a scheme is to return set values closer to that of the exact 
denotation set. We also identify further desirable properties of schemes, such as 
a scheme £ behaving “reasonably” or “coherently” . 
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Definition 2. Given two finite approximation schemes E 1 = (E^. E^ v ) and 
E 2 = (E 2 n , E 2 V ) for a model Ad over P, we say that E 2 is a refinement of E 1 , 
and we write E 1 ^ E 2 , if for all sentences ip £ £} (P); 

fc L( unl (^)) C k 2 un (un 2 (p)) C \p\ M C k 2 ov (o V 2 M) C (ov^)) 

A refinement is proper, written E 1 < E 2 , if for some sentence p £ £^(P), 
either k\ n (un%)) C k 2 un (un%)), or k 2 ov (ov 2 (^)) C k\ v (ov 1 ^)). 

Two f.a. schemes E 1 and E 2 will be called bijectively equivalent if there ex- 
ist two bijective functions f un : ran(un 1 ) — > ran{ un 2 ) and f ov : ran{ ov 1 ) — > 
ran(ov 2 ), such that for all ip £ £^(P), k\ n (un 1 ^)) = k 2 un (f un ( un 1 ^))), 

^L( un2 (^)) = k L (/™( un ' 2 (^)))> C( ovl (^)) = k 2 ov (foviov^ip))), and 

k ov ( ov2 (^)) = (/™(ov%))). 

An f.a.s. E is non-degenerate if both A un and A ov have at least two elements, 
and un(T) un(_L) and ov(T) ov(_L). A non- degenerate f.a.s. E is: 

— trivial if both A un and A ov have exactly two elements; 

— extremal-coherent if k un (un(T)) = X, and k ov (ov(_L)) = 0; 

— full if ran( un) = A U n and ran(ov) = A ov ; 

— substitution-coherent if for all sentences p,ifi,ip 2 £ £^(P), and all p £ P, 

if un(^i) = un(t/> 2 ) then un ( ip[p := if i] ) = un ( p[p := 1 /J 2 ] ), and 
if ov(V’i) = ov(^ 2 ) then ov ( <p\p := ip \] ) = ov ( p[p := if 2 ] ); 

— exact if k un (un(ip)) — — k ov (ov(y>)), for all sentences p £ £^(P). 

Henceforth, we will treat as equal any two schemes that are bijectively equivalent. 
Let FAS(Ad,P) denote the set of all extremal- coherent and substitution-coherent 
f.a.s. for Ad over P. 

The refinement relation ^ defines a partial order on the set FAS (Ad, P), under 
our standing convention of identifying bijectively equivalent schemes. There is 
a unique trivial f.a.s. E 0 that is non-degenerate, extremal-coherent, full, and 
substitution-coherent: each of A un and A 0 v have exactly two elements, and take 
un(ip) = un(l) for all sentences p y^ T ; ov(p) = ov(T) for all sentences p y^ _L; 

(un(l)) = 0 = k ov (ov(_L)); and (un(T)) = X = k ov (ov(T)). This 
scheme E 0 is the ^-minimal element of the set FAS ( Ad, P). 

Regarding ^-maximal schemes in FAS ( Ad, P), it is intuitively plausible that 
any scheme short of exact can always be further refined. The following result 
confirms the intuition: having an exact scheme is equivalent to having a finite 
bisimulation quotient. 

Proposition 1. For a model A d over P, the following are equivalent: 

(a.) there is an maximal scheme in FAS(Ad,P); 

(b.) there is an exact scheme in FAS(Ad,P); 

(c.) Ad has a finite tense bisimulation quotient. 

So for infinite models Ad that don’t have finite bisimulation quotients, there 
will no maximal schemes in FAS(Ad,P) under the refinement partial order 
This is a typical situation for hybrid systems and real-time systems, where the 
state-space is the product of a finite set and a real vector space. 
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As noted in the introduction, and developed in Section 2.4 leading to Equa- 
tion 1, abstraction via three-valued must-may Kripke models in [12, 7] naturally 
gives rise to a finite approximation scheme. 

Proposition 2. If Z is a finite set, and A f = (Z, S must , S may , u yes , u no ) is a 
three-valued must-may Kripke model that gives an abstraction of a standard 
Kripke model A4 = (A", R, v) under map h : X Z , then E M is in FAS (At, P), 
where E M := {E* n ,Eff v ) with E x n = (A un , un, k un ) and E* v = (A ov , ov, k ov ), 
where: un(y>) := |(/?]y es , and ov(ip) := X — [<p]n 0 ; A un '■= ran(un) C 2 Z and 
Aov '■= ranipv) C 2 Z ; and k un := A -3 and k ov := /i~ v . 

In the remainder of the paper, we focus on finite approximation schemes 
that arise from finite topologies T on the state space A' of the target concrete 
model M. We say that E £ FAS(A4, P) is topological with respect to a topology 
T on X if for each sentence ip £ £^(P), the set k un (un (<p)) is T-open, and 
k UTl (un(ip)) C int r {\ip\ M ), and on the other side, k ov (ov(ip)) is T-closed, and 

clAlvD C kov(ov(ip)). 

4 Covers, A/D Maps and Their Alexandroff Topologies 

An initial study of covers, A/D maps {analog-to- digital maps) and their topolo- 
gies was made by Nerode and Kohn in [11]. In this section, we build on that work 
to develop just enough of the general topology of A/D maps and their Alexan- 
droff spaces for use in addressing the task of building approximation schemes. 

Definition 3. A cover of a set X is any total relation a: X S. We call S 
the index set or observation set of the cover. The cells of a are the subsets 
a _1 (s) of X; define Cells(a) := |a” 1 (s) £ 2 X \ s £ ran(a)}. Let T a be the 
topology generated by a, i.e. the smallest subset of 2 X containing Cells(o;) and 
closed under arbitrary unions and finite intersections. 

The totality condition on a ensures that A' = Uses a_1 (' s )j so th e cells of a 
do constitute a cover of X in the usual sense. In general, the a-cells constitute a 
sub-basis for the topology T a \ i.e. every open set is a union of finite intersections 
of a-cells. In the special case where a: X — > S is actually a function, then a 
can be thinned, by eliminating any excess elements of S, to give a surjective 
quotient map. In this case, the a-cells constitute a partition of A", and we have 
the “classical collapse” of 7/ to a complete Boolean algebra. 

Definition 4. Given covers a: X S and /3: X T, we say a is refined by 
P, and write a ^ ft if there exists a map 9 : S T such that a = ft • 9~ l . 

This means a ^ ft iff each a-cell indexed by s £ ran (a) breaks up into a 
union of /3-cells indexed by t £ 9(s): a~ 1 (s) = U{/3 -1 (/) I t £ 0(s)}. Thus 
a ^ ft iff T„ C The transfer map 9 describes how each cell/observation 
s of the original a is broken up into a union of ft cells or converted into a set 
of observations 9(s) C T. So ft allows us to make at least as many distinctions 
between states in A, as does a. 
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The refinement relation ^ is a pre- order on the collection (proper class) of 
all covers of X. One can have equi-reftnements a ^ (3 and (3 ^ a for distinct 
covers a: X S and (3: X T, related by transfer maps 9q '■ S T and 
: T 5 such that a = a • 9/ 1 • 9/ 1 and (3 = f3 • 9/ 1 • 9/ 1 , and having the 
same topology T a = Tp on X. 

For any cover a, we can find a minimally coarse refinement a! such that 
T a = T a ' and the a'-cells constitute a basis for the topology T a \ take the closure 
under non-empty finite intersections of the family Cells(a). In our application to 
finite discretization and approximation, our interest is in finite covers: if Cel Is(c^) 
has finite cardinality k, then for such a topological refinement a' , the cardinality 
of Celled) is bounded by 2 fc — 1, and the cardinality of T a = T a > is bounded by 
2 2 "- 1 . 

Definition 5. An A/D map on a set X is a cover a : X N such that the 
converse map a -1 is injective and the family Cells(a) is finite and constitutes 
a minimal basis for the topology T a . Let Z a := ran(a) CN be the finite range 
and let A := a -1 : N ^ X denote the converse map, so A(z) C X is the a-cell 
indexed by z £ Z a . Let ADmap(X) denote the set of all A/D maps on X . 

An A/D map a determines a topology T a on X that has only a finite number 
of open sets, and is thus Alexandroff. Further clarifying the definition, by min- 
imal basis we mean that any proper sub- family of Cells(a) fails to constitute a 
basis for T a , which implies that no a-cell A(z) is the union of two or more strictly 
smaller open sets of T a . To see this, suppose otherwise, so A(z) = U 1 UU 2 where 
Ui, U 2 £ T a are both proper subsets of A(z). Since Cells(a) is a basis, each Ui is 
a union of basic opens in Cells(a). But then Cells(a) — {A(z)| will be a proper 
sub- family constituting a basis for T a , contradicting the minimality of Cells(a) 
as a basis. In particular, no a-cell is disconnected , by being a disjoint union of 
two smaller open sets of T a . The requirement that A = a be injective simply 
means that there is no redundancy in Z a : z / w implies A(z) / A(w). 

A pair of maps a, (3 £ ADmap(X) are equi-refinements a ^ (3 and (3 ^ a 
iff there exists a bijective function r : Z a — > Zp such that A(z) = B(r(z)) 
and B(w) = A(r _1 (u;)) for all z £ Z a and w £ Zp. Hence we can consider 
the set ADmap(A') to be partially ordered by the refinement relation up to 
re-labeling of cell indices via bijective functions. 

In signal processing, analog-to-digital conversion is almost invariably modeled 
by a finite partition of the analog state space. This gives single- valued and total 
functions a : X — > N with finite range, where the a-cells are partition blocks 
(and so will trivially form a minimal basis for the Boolean algebra T a ). One of 
the arguments in [11] is that in looking for continuity in the process of analog-to 
digital conversion, one won’t find it in the Euclidean topology on the analog state 
space, so look instead at the finite topology on that space generated by the cells 
of an A/D map. The definition of an A/D map here is essentially equivalent to 
that in [11], which also briefly considers the non- finite case; there, a generalized 
A/D map has as its cells the fully join-irreducible elements in the lattice of open 
sets of an Alexandroff topology, which is equivalent to requiring the cells form a 
minimal basis. 
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For a £ ADmap(X), we will write =j. a and ss Q , respectively, for the pre-order 
=4r a on X, and equivalence relation (=^ r a D ^=T a ) on X determined by T a . 

We will also write int a and cl a for int Ta and cl Ta . Let s a : X — > X / « Q be the 
Stone Tq quotient map s a (x) := [x]~ a mapping x to its topological equivalence 
class [ar],» a C X. The following result gives clean characterizations of the sa Q - 
classes, and of the topological operators int a and cl a . 

Proposition 3. Let a : X Z a be any non-trivial A/D map on X. 

(1.) The function F : X/ 7a a — -> Z a defined by 

F(s a (x)) = z iff s a (x) = A(z) - (J{ A(w) \ A(w) C A{z) } 

is a bijection, hence the function q a : X — > Z a defined by q a (x) := F(s a (x)) 
is surjective. Let Q a := qf 1 : Z a X denote the converse map. Then for 
all z £ Z a , we have Q a (z) C A[z), and Q a (z) is the ~ a partition block 
with the property that x £ Q a (z) iff A(z) is the smallest a-cell containing 
x. 

(2.) The finite quotient space (Z a ,T q ) under the surjection q a : X — > Z a from 
( X 7 T a ) has as its specialization pre-order z C w iff A(w) C A(z). 

(3.) For each z £ Z a , the a-cell A{z) satisfies A{z) = |J{ Q a (w) \ zFw}; 

equivalently, a = C • q a and A = Q a • □ . 

(4.) The topological operators of T a are expressible in terms of unions of 
equivalence classes. Specifically, for subsets W Cl: 

int a (W) = {J{Q a (z) | A(z) C W} 

cl a (W ) = U{ Q a (z) I A(z) n W / 0 } (3) 

bda(W) = U{ Q a (z) I A{z) nlf/0 and A(z) D {X - W) / 0 } 

(5.) The maps have the following semi- continuity properties respect to (X,T a ) 
and (Z a , T q ): 

— q a : X — > Z a is both l.s.c. and u.s.c., and a continuous function; 

^ Qa = qf 1 ; Z a X is both l.s.c. and u.s.c., and thus continuous; 

— a : X Z a is l.s.c.; and 

— A = a : Z a X is u.s.c. 

In Figure 1, we illustrate an A/D map a on a bounded region of R 2 , where 
the a-cells A(z) consist of the following four types of sets: 

basic larger squares: Sq(i, j) for i < 9 and j < 14 

horizontal overlaps: HO (i,j) := Sq (i,j) D Sq(i, j + 1) for * < 9 and j < 13 

vertical overlaps: VO (i,j) := Sq (i,j) ft Sq(i + l, j) for i < 8 and j < 14 

diagonal overlaps: DO(i, j) := HO(i, j) fl VO(i, j) for i < 8 and j < 13 

Take the index set Z a C N to be the result of some coding of pairs and pairs 
of pairs. For this example, Z a has cardinality 459; more generally, for a regular 
cover a of a bounded region of R 2 such as this, of size N x M, the cardinality 
of Z a will be at most 3k 2 , where k = max{7V, M}. 
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closed sets of 77, 



the sets Q a (z), partition blocks of «« 




HO(f,6) vo(2J) DO(l 
the sets /!(-"). cells of A/D rnap a 



Fig. 1. Example of A/D map a from regular cover of bounded region of 1 



5 Topological f.a.s. from A/D Maps 

We will use an A/D map a and its topology T a to construct a topological 
finite approximation scheme E a for a concrete Kripke model M = (X,R,v). 
To satisfy the conditions that l: m (un((//)) is 7/,-open and fc 0 „(ov(</)) is T a - 
closed, we will need to enforce various semi-continuity properties on relations 
^Utl 5 S OV ■ Z a Z a used in the approximation of R modal/ tense operators, and 
need to draw on semi-continuity properties established in Proposition 3. 

In what follows, we are given a model A4 = (X : R,v), and we need to 
have available an A/D map a £ ADmap(X) and a pair of operators on sets 
upo a ,opo a : Cells(a) — > 2 A such that upo a (A(z )) C f? 3 (A(;z)) C opo a (A(z)) for 
every a-cell A(z) £ Cells(a). Moreover, we must be able to determine by finite 
computation whether A(w) C upo a (A(z )) and whether A(w) D opo a (A(z)) ^ 0. 
So for example, if all the cells of the A/D map as well as the approximated values 
of upo a and opo a on cells are all first-order definable in a decidable structure 
(such as R as a real-closed field), then the computational pre-conditions will be 
met. 

Definition 6. For a Kripke model M = (X,R,v) over P, a triple ( a,upo a , 
opo a ) will be called A/D adequate if a : X ^ Z a is a non-degenerate A/D map 
on X , and the operators on sets upo a , opo a : Cel ls(ck) — > 2 A satisfy: 

(i) for allp £ P, either v(p) = 0, or there exists z £ Z a such that A(z) C v(p); 

(ii) for all z,w £ Z a , if A(z) C A(w) (i.e. w C z), then 
u Po a {A(z )) C upo a (A(w)), and opo a (A(z)) C opo a (A(w)); 

(iii) upo a (A(z)) C R^(A(z)) C opo a {A{z)) for every a-cell A(z) € Cells(a); 

(iv) for all z,z',w € Z a , if A(z' ) C A(z) and A(w) C upo a (A(z)), then there 
exists w' £ Z a such that A(w') C A(w) D upo a (A(z')) . 

The first adequacy condition (i) says that a has to be fine enough to fit a cell 
inside every non-empty atomic denotation set. Condition (ii) asks that the oper- 
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A(z) = Sq(3,6) blocks Qa.(w) for w e S? n {z) upo a (A(z)) 
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Fig. 2. Finite relation from A/D map a and known operator upo a on a-cells. 
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Fig. 3. Finite relation S“„ from A/D map a and known operator opo a on Q-cells. 



ators upo a and opo a should be inclusion-monotone on a-cells, and (iii) requires 
that they give correct approximations of the post-image operator R/ applied 
to a-cells. Condition (iv) amounts to asking for a semi-continuity property of a 
relation on the finite index set Z a derived from upo a . 

Proposition 4. [Construction of finite approximating Kripke models] 

Given a Kripke model M. = (X,R,v) over P, suppose (a, upo a , opo a ) is A/D 
adequate for M. Define two finite Kripke models A f/ n = (Z a , S^ n ,u un ) and 
Kv = {Z a ,S^,u ov ) by: 

Sun( z ) : = {w £ Z a I A(w) c upo a (A(z))} u ov (p) := {z £ Z a \ A(z) D v(p) / 

0 } 

Sfv(z ) : = {w £ Z a \ A(w) (~l opo a (A(z)) / 0} Uunip) := {z £ Z a \ A(z) C 
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Consider the set Z a equipped with the quotient topology T q = T E . Then the maps 
Sun '■ Z a Z a and S~ „ : Z a ^ Z a are both l.s.c. and each atomic set u un {p ) is 
T q -open, and the maps S ov : Z a Z a and S~ f : Z a ^ Z a are both u.s.c. and 

each atomic set u ov (p) is T q -closed. 

In Figures 2 and 3, we illustrate the process of “blockifying” a pair of known 
approximating operators upo a and opo a through an A/D map a to produce the 
relations Sff n and Sf v in the models Af/ n and Af/ V , as defined in Proposition 4. 

Proposition 5. [Topological f.a.s. from A/D maps] 

Given a Kripke model M. = (X, R , v) for C^fP), suppose (a, upo a , opo a ) is A/D 
adequate for M, and let A = (Z a , S!f n ,u un ) and Af/ V = (Z a , Sf v ,u ov ) be the 
finite models defined in Proposition /. Define two maps un : C^(P) — > 2 Za and 
ov : £* (P) — > 2 Za by mutual induction on sentences: 



un(p) 


= U un {p ) 


ov(p) 


= U ov (p) 


un(_L) 


= 0 


°v(±) 


= 0 


un(T) 


= Z a 


°v(T) 


= Z a 


un(-i ip) 


= z a - ov(ip) 


ov(-> ip) 


= z a - un(^) 


un(ipi V <p 2 ) 


= un(tpi) U un(y> 2 ) 


ov(^i V ip 2 ) 


= ov(^i) U ov(v? 2 ) 


un(v?i A <p 2 ) 


= un((pi) n un(p 2 ) 


ov(^i A tp 2 ) 


= ov(c/?i) n ov(ip 2 ) 


un (<t><p) 


= (SZ„)~ 3 (un(<p)) 


ov(<S>v?) 


= 


un(^ip) 


= (^J^un^)) 


ov(^ip) 


= ('S'“J 3 ( ov ( < a)) 


u n(pz.ip) 


= U n<K a un (T n ) 


ov(pz.ip) 


= U „<K a ov O") 



where ip° := _L and ip n+1 := := <p n ] and the iteration bound is K a := \T q \. 

Then S a := (Z’“ n ,Z’“ u ) is in FAS(A4,P), and is a topological f.a.s. with 
respect to the finite topology T a on X, where Sff n \= (T E ,un, Kn) and E% v := 
(T 3 ,av,kg V ), and kf n : T Q — > 2 X and k/ v \T^-*2 X are given by k/f n := q/f 1 
and k° v := q~ l . 

In addition , if (3 £ ADmap(X), a ^ /3, (/?, upop, opo /) is A/D adequate for 
M, and upo a (B(w )) C upop(B(w)) C R 3 (B(w)) C opOp(B(w )) C opo a (B(w )) 
for all /3-cells B(w) for w £ Zp, then E a ^ Up. 

This work emerged from a study by the authors of topological semantics 
for intuitionistic modal and tense logics, and their relationship under the Godel 
translation to classical multi-modal logics equipped with additional S4 modal 
operators □ and O interpreted by topological interior and closure, respectively. 
In the light of this background, we are led to consider Godel-inspired translation 
maps from the base language £/(P) into a multi-modal extension, which allows 
us to formally express and reason about not only the “real thing” , but also our 
under- and over-approximations. 

Let £p(P) be the multi-modal language which extends P k (P) (the tense 
language generated from P without the p operator) by the addition of further 
pairs of tense diamonds, <$>„ and and <•>' and ^*, and a plain box modality 
□ . As before, we treat — >, O, and the now three pairs of tense box modalities 0 
and □, 0 O and D 0 , and 0* and □*, as all classically definable. 
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Proposition 6. Given a Kripke model Ad = ( X , R, v) over P, suppose the triple 
(a, upo a , opo a ) is A/D adequate for Ad, and let Af/ n = (/Z a , S^ n ,u U n), and 
Afg V = [Z a , Sf v ,u ov ) be the finite models defined in Proposition 4- 
Define a multi-relational topological model Ad* := ( X , P a , R , Rf v , v ) for the 
language £q(P), with int a interpreting □. relation R interpreting <j> and and 
relations P“ n interpreting <z> 0 and and interpreting <$>’ and where: 

Kn ■= 9a • S° n • q/ 1 and Rf v := q a • Sf v • q/ 1 

Then there are two Godel-like translation maps UT,OT: £^(P) — > ££,(P) sitc/i 
1/iai i/ie approximation values generated by the f.a.s. E a are (classically) ex- 
pressible in £q(P), over the model Ad*, in the sense that, for all sentences 



9a 1 ( un (yj)) = |UT(vj)] a1 - 


and 


9a 1 ( OV (£)) = [OT(£)] A1 “ 


Ad* b UT(<b - ip 


and 


Ad* b £ ^ OT(b 


Ad* b UT(b «-► □UT(<p) 


and 


Al* b OT(b) «-► O OT(yj) 


The mutually recursive translation maps are defined as follows: 


UT(p) 


= Dp 




OT(p) := Op 


UT(_L) 


= ± 




OT(-L) := A 


UT(T) 


= T 




OT(T) := T 


UT(-ic^) 


= -OTb>) 




OT(-i^) := ->UT(<b) 


UT(y>i V ip 2 ) 


= UTbi)VUTb 2 ) 




OT(^ V ip 2 ) := OT(^i) V OT(^ 2 ) 


UT(^i A ip 2 ) 


= UTbi)AU% 2 ) 




OT(</? 1 A ip 2 ) := OT(^) A OT(<p 2 ) 


UT(<$></>) 


= <v> 0 UT(<p) 




OT (<8>p) := <•>• OT(yj) 


UT(*p) 


= ❖oUT(^) 




OT(^ip) := OT(</j) 


UT (fxz.ip) 


= Vn<K a UT(^) 




OT (jiz.ip) := y n<Ka OT(^) 



where the iteration bound is K a = |7^|. 

For example, in the extended language Cq(P), the formula OT(y>) A -iUT(<p) 
denotes in At* the set of all states x £ X that do not have a determinate truth 
value under the scheme E a . 

We conclude the paper with a comprehensiveness result: from any finite ap- 
proximation scheme E £ FAS (A d,P), we can construct an A/D map a and a 
topological f.a.s. E a that is a refinement of the given scheme E. 

Proposition 7. [Comprehensiveness of topological finite approximation 
schemes] 

Given any f.a.s. E £ FAS(A d,P) for a model Ad = (X,R,v), there exists an 
A/D map a : X ^ Z a , and a pair of finite models = (Z ai S!f n ,u un ) and 
M/ v = (Z a , Sg V ,u ov ) which determine a topological finite approximation scheme 
E a , as given in Proposition 5, such that E ^ E a . 

Moreover, the A/D map a and the models J\f/ n and A f/ v are such that the con- 
struction and conclusions of Proposition 6 hold of them. 
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6 Conclusions 

This paper gives clear focus to the problem of approximate model-checking in 
modal and tense logics, calling for two-sided approximations propogated to ar- 
bitrarily complex formulas. We have developed a generic notion of a finite ap- 
proximation scheme for a model, and of a partial ordering on such schemes, and 
we have established the naturalness of the notion by proving that a model has 
a maximally refined finite approximation scheme if and only if it has a finite 
bisimulation quotient. We then gave a general construction of finite approxi- 
mation schemes from A/D maps and their finite topologies plus a pair of basic 
approximation operators defined on the cells of the A/D map. We showed this 
sub-class of topological schemes to be comprehensive in the sense that, given any 
finite approximation scheme S satisfying minimal coherence conditions, we can 
construct an A/D map a and a topological finite approximation scheme £ a that 
refines the given scheme S. Future work will investigate efficient implementation 
for reasonable classes of continuous dynamics based on [10,1-3,8]. 
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Abstract. We consider a general notion of timed automata with input- 
determined guards and show that they admit a robust logical framework 
along the lines of [6], in terms of a monadic second order logic charac- 
terisation and an expressively complete timed temporal logic. We then 
generalize these automata using the notion of recursive operators intro- 
duced by Henzinger, Raskin, and Schobbens [10], and show that they 
admit a similar logical framework. These results hold in the “pointwise” 
semantics. We finally use this framework to show that the real-time logic 
MITL of Alur et al [2] is expressively complete with respect to an MSO 
corresponding to an appropriate set of input-determined operators. 



1 Introduction 

The timed automata of Alur and Dill [1] are a popular model for describing timed 
behaviours. While these automata have the plus point of being very expressive 
and having a decidable emptiness problem, they are neither determinizable nor 
closed under complementation. This is a drawback from a couple of points of 
view. Firstly, one cannot carry out model checking in the framework where a 
system is modeled as a timed transition system T and a specification of timed 
behaviours as a timed automaton A , and where one asks “is L(T) C L(A)?”. 
This would normally involve complementing A and then checking if its inter- 
section with T is non-empty. One can get around this problem to some extent 
by using determinizable specifications, or specifying directly the negation of the 
required property. A second reason why lack of closure properties may concern 
us is that it precludes the existence of an unrestricted logical characterisation of 
the class of languages accepted by timed automata. The existence of a monadic 
second order logic (MSO) characterisation of a class of languages is a strong en- 
dorsement of the “regularity” of the class. It also helps in identifying expressively 
complete temporal logics, which are natural to use as specification languages and 
have relatively efficient model checking algorithms. 

The event clock automata of [3] was one of the first steps towards identifying 
a subclass of timed automata with the required closure properties. They were 
shown to be determinizable in [3], and later to admit a robust logical framework 
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in terms of an MSO characterisation and an expressively complete timed tempo- 
ral logic [6]. Similar results were shown in [15], [10] and [8]. A common technique 
used in all these results was the idea of “implicit” clocks, whose values are de- 
termined solely by the timed word being read. For example the event recording 
clock x a records the time since the last a action w.r.t. the current position in a 
timed word, and is thus implicitly reset with each a action. The truth of a guard 
over these clocks at a point in a timed word is thus completely determined by 
the word itself, unlike in a timed automaton where the value of a clock depends 
on the path taken in the automaton. 

In this paper we generalize the notion of an implicit clock to that of an 
input determined, operator. An input determined operator A identifies for a given 
timed word and position in it, a set of intervals in which it is “satisfied” . The 
guard I £ A is then satisfied at a point in a timed word if the set of intervals 
identified by A contains I. For example, the event recording clock x a can be 
modeled as an input determined operator <] a which identifies at a given point 
in a timed word, the (infinite) set of intervals containing the distance to the 
last a action. The guard (x a £ I) now translates to ( I €<„)■ As an example 
to show that this framework is more general than implicit clocks, consider the 
input determined operator O a inspired by the Metric Temporal logic (MTL) of 
[12, 4]. This operator identifies the set of all intervals I for which there is a future 
occurrence of an a at a distance which lies in I. The guard I £ O a is now true 
iff there is a future occurrence of an a action, at a distance which lies in I. 

Timed automata which use guards based on a set of input determined op- 
erators are what we call input determined automata. We show that input de- 
termined automata form a robust class of timed languages, in that they are 
(a) determinizable, (b) effectively closed under boolean operations, (c) admit 
a logical characterisation via an unrestricted MSO, and (d) identify a natural 
expressively complete timed temporal logic. 

We then go over to a more expressive framework using the idea of recursive 
event clocks from [10]. In the recursive version of our input determined operator, 
the operators now expect a third parameter (apart from the timed word and a 
position in it) which identifies a set of positions in the timed word. This argu- 
ment could be (recursively) another input determined automaton, or as is better 
illustrated, a temporal logic formula 9. The formula 6 naturally identifies a set 
of positions in a timed word where the formula is satisfied. Thus a recursive op- 
erator A along with the formula 9 , written Ag, behaves like an input determined 
operator above, and the guard I £ Ag is true iff the set of intervals identified 
by Ag contains I . These recursive input determined automata are also shown to 
admit similar robust logical properties as above. 

We should be careful to point out here that, firstly, these results hold in the 
pointwise semantics, where formulas are evaluated only at the “action points” in 
a timed word (used e.g. in [17]), and not at arbitrary points in between actions 
in a timed word as allowed in the continuous semantics of [2,10]. Secondly, we 
make no claims about the existence of decision procedures for these automata 
and logics. In fact it can be seen that the operator O a above takes us out of the 
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class of timed automata as we can define the language of timed sequences of a’s 
in which no two a’s are a distance 1 apart, with a single state input determined 
automaton with a loop guarded by ->([1,1] € O a ). Similar versions can be seen 
to have undecidable emptiness problems and correspondingly undecidable logics 
[4] . Thus the contribution of this paper should be seen more in terms of a general 
framework for displaying logical characterisations of timed automata, and prov- 
ing expressive completeness of temporal logics related to these automata. Many 
of the results along these lines from [8, 6] and some in the pointwise semantics 
from [14] follow from the results in this paper. 

As a new application of this framework, we provide an expressive complete- 
ness result for MITL in the pointwise semantics, by showing that it is expressively 
equivalent to the first order fragment of an MSO based on recursive operators. 
This answers an open question from [14], apart from identifying an interesting 
class of timed automata. 

The techniques used in this paper essentially build on those from [8] and 
[6] which use the notion of proper symbolic alphabets and factor through the 
results of Buchi [5] and Kamp [11]. The idea of using recursive operators comes 
from [10], who show a variety of expressiveness results, including an expressive 
completeness for MITL in the continuous semantics. Their result for MITL is 
more interesting in that it uses event-clock modalities, while we use essentially 
the same modalities as MITL. However, our MSO is more natural as it is unre- 
stricted, unlike the MSO in [10] which has restricted second order quantification. 

2 Input Determined Automata 

We use N to denote the set of natural numbers {0, 1, . . .}, and K-° and Q-° to 
denote the set of non-negative reals and rationals respectively. The set of finite 
and infinite words over an alphabet A will be denoted by A* and A u respectively. 
We use the notation X — > Y to denote the set of functions from X to Y. 

An (infinite) timed word over an alphabet E is an element a of (X x K-°)“ 
satisfying the following conditions. Let a = (oo, to)(fli> H) • ■ •• Then: 

1. ( monotonicity ) for each i £ N, U < L+i, 

2. ( progressiveness ) for each t € K-° there exists ieN such that U > t. 

Let TE U denote the set of infinite timed words over E. Where convenient, we 
will use the representation of a as (a, r) where a £ E u and r : N — » M-° is a 
time sequence satisfying the conditions above. 

We will use rational bounded intervals to specify timing constraints. These 
intervals can be open or closed, and we allow oo as an open right end. These 
intervals denote a subset of reals in the usual manner for example [2, oo) 
denotes the set {t £ R-° | 2 < t}. The set of all intervals is denoted 1q. 

Our input determined automata will use guards of the form “/ £ A” , where 
/ is an interval and A is an operator which determines for a given timed word 
a and a position i in it, a set of intervals “satisfying” it at that point. We then 
say that a at position i satisfies the guard “/ £ A” if I belongs to the set of 
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intervals identified by A. By a “position” in the timed word we mean one of the 
“action points” or instants given by the time-stamp sequence, and use natural 
numbers i (instead of the time r(i)) to denote these positions. More formally, 
an input determined operator A (w.r.t. the alphabet E) has a semantic function 
[A] : (TI 7“ x N) — > 2 X<3 . The guard I £ A is satisfied at position i in a £ TE U 

iff I G I^KM). 

The transitions of our input determined automata are labeled by symbolic 
actions of the form (a, g) where a is an action, and g is a guard which is a 
boolean combination of atomic guards of the form I £ A. The set of guards over 
a finite set of input determined operators Op is denoted by Q(Op) and given by 
the syntax g ::= T | I £ A \ ->g \ g V g \ g A g. The satisfaction of a guard g in 
a timed word a at position i, written a,i | = g, is given in the expected way: we 
have a, i \= T always, a, i |= I £ A as above, and the boolean operators A, V, 
and A interpreted as usual. 

A symbolic alphabet r based on (A, Op) is a finite subset of E x Q(Op). 
An infinite word 7 in 7”“ specifies in a natural way a subset of timed words 
tw( 7 ) defined as follows. Let 7 (i) = ( ) for each i £ N. Let a £ TE U with 
a(i) = ( bi,ti ) for each i £ N. Then a £ tw( 7 ) iff for each i £ N, 6 , = a* 
and a,i |= gi. We extend the map tw to work on subsets of r w in the natural 
way. Thus, for L C 7”“, we define tw(L) = U 76 2 tw( 7 ). Finally, we denote the 
vocabulary of intervals mentioned in 7” by ivoc(r). 

Recall that a Biiclri automaton over an alphabet A is a structure A = 
(Q, s, — ► , F) where Q is a finite set of states, s £ Q is an initial state, — >C 
<5 x A x Q is the transition relation, and F C Q is a set of accepting states. 
Let a £ AE . A run of A over a is a map p : N — > Q which satisfies: p(0) = s 

and p(i) — p(i + 1) for every i £ N. We say p is an accepting run of A on a 
if p(i) £ F for infinitely many i £ N. The set of words accepted by A, denoted 
here as L sym (A) (for the “symbolic” language accepted by A), is defined to be 
the set of words in A u on which A has an accepting run. 

We are now in a position to define an input determined automaton. An 
input determined automaton (IDA for short) over an alphabet S and a set of 
operators Op, is simply a Biiclri automaton over a symbolic alphabet based on 
{E , Op). Viewed as a Biiclri automaton over a symbolic alphabet 7”, an input 
determined automaton A accepts the language L sym (A) C r u which we call 
the symbolic language accepted by A. However, we will be more interested in 
the timed language accepted by A: this is denoted L{A) and is defined to be 
tw (L sym{A )) . 

To give a concrete illustration of input determined automata, we show how 
the event clock automata of [3] can be realized in the above framework. Take 
Op to be the set of operators {< a ,>a |a £ A}, where the operators and 
> a record respectively the time since the last a action, and the time to the next 
a action. The operator < a (and similarly > a ) can be defined here by setting 
|< a ](cr,i) to be 



{I £ 2 q I 3 j < i : a(j) = a, r(i) — r(j) £ I, and Vk : j < k < i, a(k) ^ a}. 
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As another example which we will use later in the paper, consider the operator 
O a related to the logic MTL [12,4]. The guard O a £ / is meant to be true in 
a word a at time i iff there is a future instant j labeled a and the distance to 
it lies in I - i.e. r(j) — r(i) £ I. The guard £> a £ I makes a similar assertion 
about the past of a w.r.t. the current position. An input determined automaton 
based on these operators can be defined by taking Op = { O a , O a | a £ A}, and 
where, for example, [[Oq,] ( cr, z) = {I | 3j > * : a(j) = a, and r(j) — r(i) £ I}. 

3 Closure Under Boolean Operations 

We now want to show that the class of timed languages accepted by input 
determined automata (for a given choice of £ and Op) is closed under boolean 
operations. The notion of a proper symbolic alphabet will play an important role 
here and subsequently. A proper symbolic alphabet based on (£, Op) is of the 
form r = £ x {Op — > 2 X ) where 1 is a finite subset of Iq. An element of T is thus 
of the form (a, h), where the set of intervals specified by h(A) is interpreted as the 
exact subset of intervals in ivoc(r) which are satisfied by A. This is formalised 
in the following definition of tw r for a proper symbolic alphabet T. Let 7 £ U 
with 7 (i) = ( ai,hi ). Let a £ T£ u with <j(i) = (bi,U). Then a £ twr( 7) iff for 
each i £ N: 6, = Oj and for each A £ Op, hi{A) = [Z\](cr, i) (~l ivoc(r). 

Let r be a proper symbolic alphabet based on {£, Op). Then a Biichi au- 
tomaton A over r, which we call a proper IDA over {£, Op), determines a timed 
language over £ given by twr{L S ym{A)). 

The class of timed languages defined by IDA’s and proper IDA’s over {£, Op) 
coincide. An IDA over a symbolic alphabet T can be converted to an equivalent 
one (in terms of the timed language they define) over a proper symbolic alphabet 
r' = £ x {Op — > 2 tooc U). Firstly, each transition label (a, g) in T can be written 
in a disjunctive normal form (ci V • • • V Ck), with each d being a conjunction of 
literals I £ A or ->(/ £ A). Thus each transition labeled (a,g) can be replaced 
by a set of transitions labeled (a, cf), one for each i. Now each transition labeled 
(a, c), with c a conjunct guard, can be replaced by a set of transitions (a, h), one 
for each h “consistent” with c: i.e. h should satisfy the condition that if I £ A is 
one of the conjuncts in c then I £ h(A), and if ->(/ £ A) is one of the conjuncts 
in c then I qL h(A). In the other direction, to go from a proper IDA to an IDA, 
a label (a, h) of a proper symbolic alphabet can be replaced by the guard 

/\( /\ (I G A) A f\ -,( IGA )). 

A&Op Ieh(A) Ieivoc{r)-h(A) 

The following property of proper symbolic alphabets will play a crucial role. 

Lemma 1. Let r be a proper symbolic alphabet based on (£, Op). Then for any 
a £ T£ w there is a unique symbolic word 7 in T u such that a £ twr{ 7)- 

Proof. Let a(i) = ( aj,L ). The only possible candidate symbolic word 7 must be 
given by j(i) = ( a j, hi), where for each A £ Op, hi(A) = [Z\](cr, i)fMvoc(r). □ 
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In the light of lemma 1, going from a symbolic alphabet to a proper one 
can be viewed as a step towards determinizing the automaton with respect to 
its timed language. From here one can simply use classical automata theoretic 
techniques to determinize the automaton w.r.t. its symbolic language to obtain 
a time-deterministic one. (Of course, since we deal with infinite words we will 
need to go from a Biichi to a Muller or Rabin acceptance condition [16]). 

Theorem 1. The class of IDA's over (£,Op) are effectively closed under the 
boolean operations of union, intersection, and complement. 

Proof. It is sufficient to address union and complementation. Given automata A 
and B over symbolic alphabets T and A respectively, we can simply construct an 
automaton over r U A which accepts the union of the two symbolic languages. 
For complementing the timed language of A, we can go over to an equivalent 
proper IDA A! over a proper symbolic alphabet P' , and now simply complement 
the symbolic language accepted by A! to get an automaton C. It is easy to 
verify, using the uniqueness property of proper alphabets given in Lemma 1, 
that L(C) = T£ u — L(A'). In the constructions above we have made use of the 
closure properties of classical w-regular languages [16]. □ 

We emphasize that no claim is made here about decidability of these classes. 



4 A Logical Characterisation of IDA’s 



We now show that input determined automata admit a natural characterisation 
via a timed MSO in the spirit of [5]. Recall that for an alphabet A, Biichi’s 
monadic second order logic (denoted here by MSO(A)) is given as follows: 

p ::= Q a (x) | x G X \ x < y \ -up \ (ip V ip) | 3 xip | 3 Xip. 



The logic is interpreted over a word a £ AP , along with an interpretation I 
which assigns individual variables x a position in a (i.e. an i £ N), and to set 
variables X a set of positions SCR. The relation < is interpreted as the usual 
ordering of natural numbers, and the predicate Q a (one for each a £ A) as the 
set of positions in a labeled a. 

The formal semantics of the logic is given below. For an interpretation I 
we use the notation I [i/x\ to denote the interpretation which sends x to i and 
agrees with I on all other variables. Similarly, I[S/A] denotes the modification 
of I which maps the set variable A to a subset S of N. Later we will also use 
the notation [i/x] to denote an interpretation which sends x to i when the rest 
of the interpretation is irrelevant. 



a,I |= 


Qai.x') 


iff 


a,I |= 


x£X 


iff 


a, I |= 


x <y 


iff 


a,I ]= 


3 x(p 


iff 


a,I ]= 


3A ip 


iff 



a(I(x)) = a. 

I(ar) e 1(A). 

I(») < %)■ 

there exists ieN such that cr,l{i/x\ \= ip. 
there exists S C N such that a, I[S/A] |= p. 
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For a sentence p (i.e. a formula without free variables) in MSO(A) we set 
L(p) = f | cr |= p}. Biichi’s result then states that a language L C AA is 
accepted by a Biichi automaton over A iff L = L(p) for a sentence <p in MSO (A). 

We define a timed MSO called TMSO(A, Op), parameterised by the alphabet 
£ and set of input determined operators Op, whose syntax is given by: 

p '■'■= Qa{x) | / G A(x) | x € X | x < y | | (p V p) \ 3 xp \ 3 Xp. 

In the predicate “I G A{x)" , I is an interval in Xq, A € Op, and £ is a variable. 

The logic is interpreted in a similar manner to MSO, except that models are 
now timed words over £. In particular, for a timed word a = (a, r), we have: 

cr, I |= Q a (x) iff a(I(a;)) = a 
<7,1 \=l€ A(x) iff /€ [Z\](cr, I (a;)). 

Given a sentence tp in TMSO(H', Op) we define L(ip) = {a£ T£ u \ a |= ip). 

Theorem 2. A timed language L C T£ u is accepted by an input determined 
automaton over (£, Op) iff L = L(tp) for some sentence p in TMSO(I7, Op). 

Proof. Given an IDA A over (£, Op) we can give a TMSO sentence p which 
describes the existence of an accepting run of A on a timed word. Following [16], 
for A = ( Q , go) — b P) with Q = {qo, . . . q n }, we can take p to be the sentence 

3A 0 • • • 3X n (Oelo A /\\/x(x G Xi => -.(a: G Xj)) 

(*) A Wx \J (x G Xi A (x + 1 ) € Xj f\Q a (x)/\g') 

(.a.g) 

Qi — ><lj 

A \/ \/x3y(x < y Ay £ X^). 

meF 

Here g' denotes the formula obtained by replacing each I £ A in g by / G A{x). 
Further, “0 G Xq ” abbreviates Va; (zero(x) =$■ x G Ao) where zero(x) in turn 
stands for ->3 y(y < x). Similarly x + 1 G Xj can be expressed via Vy(succ x (y) => 
y G Xj), where succ x {y) is the formula x < y A -33z{x < z A z < y). 

In the converse direction we take the route used in [6] as it will be useful 
in the sequel. Let p be a formula in TMSO(A, Op), and let r be the (unique) 
proper symbolic alphabet with the same interval vocabulary as p. We give a way 
of translating p to a formula t-s(p) in MSO(T) in such a way that the timed 
languages are preserved. The translation t-s is done with respect to r and simply 
replaces each occurrence of 

Qa(x) by \J Q( b ,h){x) and / G A{x) by \J Q( a ,h){x). 

(b,h)&r, b=a (a,h)&r, Ieh(A) 

The translation preserves the timed models of a formula p in the following sense: 
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Lemma 2. Let a £ T E u , 7 £ TA and a £ twr( 7)- Let I be an interpretation 
for variables. Then a, I |= ip iff 7, 1 |= t-s(<p). □ 

The lemma is easy to prove using induction on the structure of the formula ip 
and making use of the properties of proper symbolic alphabets. From the lemma 
it immediately follows now that for a sentence ip in TMSO(T, Op), we have 
L(tp) = tw r{L(t-s(ip))), and this is the sense in which the translation preserves 
timed languages. 

We can now argue the converse direction of Theorem 2 using this translation 
and factoring through Biichi’s theorem. Let ip be a sentence in TMSO(T, Op) 
and let (p = t-s(ip). Then by Biichi’s theorem we have an automaton A over 
r which recognizes exactly L{(p). Thus A is our required proper IDA since 
L(A) = tw r (L sym (A)) = tw r {L{(p)) = L{<p). □ 

5 An Expressively Complete Timed LTL 

In this section we identify a natural, expressively complete, timed temporal logic 
based on input determined operators. The logic is denoted TLTL(T, Op), pa- 
rameterized by the alphabet £ and set of input determined operators Op. The 
formulas of TLTL(T, Op) are given by: 

9 ::= a\l£A\09\09\ ( QUO ) | ( 9S9 ) | -.0 | (0 V 9). 

Here we require a £ £, I £ 1 q, and A £ Op. The models for TLTL(T, Op) 
formulas are timed words over £. Let cr £ TE 1 ^, with a = ( a,r ), and let i £ N. 
Then the satisfaction relation er, i |= p is given by 



er, 


i b 


a 


iff 


a(i) = a 








er, 


i b 


I £ A 


iff 


I £ |2i] (er, i) 








er, 


i b 


09 


iff 


er, i + 1 |= 9 








er, 


i b 


06 


iff 


i > 0 and a, 


— 


lb 9 




er, 


i b 


9Uij 


iff 


3k > i : a,k 


b 


77 and Vj 


i<j< k, u,j b 0 


er, 


i b 


9Sr) 


iff 


3k < i : a,k 


b 


r] and Vj 


k <j <i, vj \= 9 



We define L{6) = {a £ TE^ \ a, 0 |= ip}. 

Let us denote by TFO(T, Op) the first-order fragment of TMSO(T, Op) (i.e. 
the fragment we get by disallowing quantification over set variables). The logics 
TLTL and TFO are expressively equivalent in the following sense: 

Theorem 3. A timed language L C TE U is definable by a TLTL(T, Op) for- 
mula 9 iff it is definable by a sentence ip in TFO(T, Op). 

Proof. Given a TLTL(JC, Op) formula 9 we can associate a TFO(I7, Op) formula 
ip which has a single free variable x, and satisfies the property that er, i \= 9 iff 
a, [i/x\ \= ip. This can be done in a straightforward inductive manner as follows. 
For the atomic formulas a and I £ A we can take ip to be Q a (x) and / £ A{x) 
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respectively. In the inductive step, assuming we have already translated 9 and ij 
into ip and ip respectively, we can translate 9Ui 7 into 



3 y(x < y A ip[y/x] A \/z((x < z A z < y) => p\z/x\)). 

Here ip[y/x\ denotes the standard renaming of the free variable x by y in ip. The 
remaining modalities are handled in a similar way, and we can verify that if p 
is the above translation of 9 then a, i |= 9 iff a, [i/a;] |= p. It also follows that 
a, 0 satisfies 9 iff cr satisfies the sentence po given by \/x(zero( x) => p). Hence 
we have that L(9) = L(p 0 ). 

In the converse direction a more transparent proof is obtained by factoring 
through Kamp’s result for classical LTL. Recall that the syntax of LTL(H) is 
given by: 

9 ::= a \ 09 \ 09 | ( 9U9 ) | ( 9S9 ) | -.0 | (9 V 9) 

where a € A. The semantics is given in a similar manner to TLTL, except that 
models are words in A u . In particular the satisfaction relation a,i |= 9 for the 
atomic formula a is given by: a, i \= a iff a(i) = a. Let FO(H) denote the first- 
order fragment of MSO(H). Then the result due to Kamp [11] states that: 

Theorem 4 ([11]). LTL(H) is expressively equivalent to FO(H). □ 

Consider now a proper symbolic alphabet T based on (if, Op). We can define 
a timed language preserving translation of an LTL(T) formula 9 to a formula 
s-t(9) in TLTL(13, Op). In the translation s-t we replace subformulas ( a,h ) by 

oA A ( A (I & A) A /\ ->(I £ A)). 

AeOp Ieh(A) Ieivoc{r)-h(A) 



It is easy to argue along the lines of Lemma 1 that 

Lemma 3. Let a £ T2J U and 7 £ r u with a £ twriy)- Then a,i (= s-t(9) iff 
7 , i \= 9. □ 

Hence we have L(s-t(9)) = twr(L(9)). 

We can now translate a sentence <p in TFO(I7, Op) to an equivalent formula 
9 in TLTL(I7, Op), according to the diagram below. 



TLTL 

9 



TFO 

P 



tw{9) = L(9) s-t 



t-s L(ip) = tw(L)tp)) 



® Kamp ^ 

LTL(T) -= =► FO(T) 

L(9) = L(0) 



This completes the proof of Theorem 3. 



□ 
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We point out here that the past temporal operators of 0 (“previous”) and 

5 (“since”) can be dropped from our logic without affecting the expressiveness 
of the logic. This follows since it is shown in [9] that Theorem 4 also holds for 
the future fragment of LTL. The reason we retain the past operators is because 
they are needed when we consider a recursive version of the logic in Section 8. 

6 Recursive Input Determined Automata 

We now consider “recursive” input determined operators. The main motivation 
is to increase the expressive power of our automata, as well as to characterise the 
expressiveness of recursive temporal logics which occur naturally in the real-time 
setting. 

To introduce recursion in our operators, we need to consider parameterised 
(or recursive) input determined operators. These operators, which we continue to 
denote by A, have a semantic function [Z\] : (2 N x x N) — > 2 X| «, whose first 
argument is a subset of positions X. Thus A with the parameter X determines 
an input determined operator of the type introduced earlier, whose semantic 
function is given by the map (cr, i) i— > [Z\](X, cr, i). The set of positions X will 
typically be specified by a temporal logic formula or a “floating” automaton, in 
the sense that given a timed word cr, the formula (resp. automaton) will identify 
a set of positions in a where the formula is satisfied (resp. automaton accepts). 
These ideas will soon be made more precise. 

We first recall the idea of a “floating” automaton introduced in [10]. These 
are automata which accept pairs of the form (cr, i) with a a timed word, and i a 
position (i.e. * £ N). We will represent a “floating” word (cr, i) as a timed word 
over if x {0, 1}. Thus a timed word v over if x {0, 1} represents the floating word 
(cr, i), iff v = (a,/3,r), with j3 € {0, 1}“ with a single 1 in the z-th position, and 
cr = (a,r). We use fw to denote the (partial) map which given a timed word v 
over if x {0,1} returns the floating word (cr, i) corresponding to v, and extend 
it to apply to timed languages over if x {0,1} in the natural way. 

Let Op be a set of input determined operators w.r.t. if. Then a floating IDA 
over (if, Op) is an IDA over (if x {0, 1}, Op'), where the set of operators Op' 
w.r.t. if x {0, 1} is defined to be {A' \ A £ Op}, with the semantics 

\A'\{(j',i) = |Z\](cr,i), 

where o' is a timed word over if x {0, 1}, with cr' = (a,fl,r) and cr = (a,r). 
Thus the operator A' simply ignores the {0,1} component of a' and behaves like 
A on the if component. A floating IDA B accepts the floating timed language 
Lf{B)=fw{L{B)). 

We now give a more precise definition of recursive input determined automata 
(rec-IDA’s) and their floating counterparts frec-IDA’s. Let Rop be a finite set of 
recursive input determined operators. Then the class of rec-IDA’s over (if, Rop), 
and the timed languages they accept, are defined as follows. 

— Every IDA A over if that uses only the guard T is a rec-IDA over (if, Rop), 

and accepts the timed language L(A). 
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Similarly, every floating IDA B over £ which uses only the guard T is a 
frec-IDA over ( £,Rop ), and accepts the floating language L^{B). 

— Let C be a finite collection of frec-IDA’s over (A, Rop). Let Op be the set 
of input determined operators {As | A £ Rop, B £ C}, where the seman- 
tic function of each As is given as follows. Let pos(a,B ) denote the set of 
positions i such that (a,i) £ L^(B). Then [Ag](cr, i) = lAj{pos{a,B),a,i). 
Then any IDA A over {£, Op) is a rec-IDA over {£, Rop), and accepts the 
timed language L(A) (as defined in Section 2). 

Similarly every floating IDA B over (£, Op) is a frec-IDA over (£, Rop), and 
accepts the floating language L-f(B). 

Recursive automata fall into a natural “level” based on the level of nesting 
of operators they use. A rec-IDA is of level 0 if the only guard it uses is T. 
Similarly a frec-IDA is of level 0, if the only guard it uses is T. A rec-IDA is of 

level (i+1) if it uses an operator As, with A £ Rop and B a frec-IDA of level 

i, and no operator A' c with A' £ Rop and C of level greater than i. A similar 
definition of level applies to frec-IDA’s. 

As an example consider the level 1 rec-IDA A below over the alphabet {a, 6} 
and recursive input determined operators O and 0 given by (as usual a £ T £ u 
with a = (a, r)): 

M{X, a, i) = {I £ Xq | 3j £ X : j > i, and Tj - n £ 1} 

[<8>](X, a, i) = {I £ Xq | 3j £ X : j < i, and r* - tj £ /}. 

The floating automaton B accepts a floating word (a,i) iff the position i is 
labeled b and the previous and next positions are labeled a. The rec-IDA A thus 
recognizes the set of timed words cr over {a, b} which begin with an a and have 
an occurrence of b - with a’s on its left and right - exactly 1 time unit later. 



A: 



-o 



a, [1,1] GOg 



B: 




(M),T 



O 




Theorem 5. The class of rec-IDA ’s over {£, Rop) is closed under boolean op- 
erations. In fact, for each i, the class of level i rec-IDA ’s is closed under boolean 
operations. 

Proof. It is sufficient to prove the latter statement, since a rec-IDA can always 
be promoted to a higher level using a vacuous guard. Let A and A' be two rec- 
IDA’s of level i. Let Op be the union of operators used in A and A! . Then both 
A and A! are IDA’s over (£, Op), and hence by Theorem 1 there exists an IDA 
B over (£, Op) which accepts L(A)U L(A'). Similarly there exists an IDA C over 
{£, Op), which accepts the language T£ u — L{A). Notice that B and C use the 
same set of operators Op, and hence are also level i automata. □ 

We note that IDA’s over (£, Op) are a special case of level 1 rec-IDA’s over 
{£, Rop), where the set of recursive operators Rop is taken to be {A' \ A £ Op} 
with \A'\{X,a,i) = [A](cr, i). Thus each guard I £ A in an IDA over (A, Op) 
can be replaced by the guard / £ A' B , for any “dummy” level 0 frec-IDA B. 
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7 MSO Characterisation of rec-IDA’s 

We now introduce a recursive version of TMSO which will characterise the class 
of timed languages defined by rec-IDA’s. The logic is parameterised by an al- 
phabet £ and a set of recursive input determined operators Rop , and denoted 
rec-TMSO(I7, Rop). The syntax of the logic is given by 

P ::= Q a (x) | I £ A$(x) \ x £ X \ x < y | -n<p \ (p V p) | 3 xtp \ 3Xp. 

In the predicate I £ A^,(x), we have I £ Xq, A £ Rop, and ip a 
rec-TMSO(A, Rop) formula with a single free variable 2 . 

The logic is interpreted over timed words in T£ u . Its semantics is similar 
to TMSO except for the predicate “7 £ A^,(a :)” which is defined inductively 
as follows. If ip is a formula which uses no A predicates, then the satisfaction 
relation a, I \= ip is defined as for TMSO. Inductively, assuming the semantics of 
ip has already been defined, A^ is interpreted as an input determined operator 
as follows. Let pos(a, ip) denote the set of interpretations for z that make ip true 
in the timed word a i.e. pos(a,ip) = {i \ a, [ i/z\ |= ip}. Then 

[A/,J (<r,i) = lAj(pos(a,ip),a,i). 



Thus we have 



a,I\= I £ A#(x) iff I £ | A] (pos (<J,ip), a, I(x)). 

Note that the variable z, which is free in ip, is not free in the formula I £ 
A 1 /,(x). A sentence p in rec-TMSO(I7, Rop) defines the language L(<p) = {a £ 
T£ u | a |= ip}, and a rec-TMSO(i7, Rop) formula ip with one free variable z 
defines a floating language L 7 (ip) = {(a,i) \ a, [i/z] f= ip}. 

We note that each rec-TMSO(A, Rop) formula p can be viewed as a formula 
in TMSO(A, Op), for a suitably defined set of input determined operators Op. 
We say an operator A^ has a top-level occurrence in p if there is an occurrence 
of A* in p which is not in the scope of any A! operator. We can now take Op 
to be the set of all top-level operators A,p in p. 

Analogous to the notion of level for rec-IDA’s we can define the level of a 
rec-TMSO formula p. The level of p is 0 if p uses no A predicates; p has level 
7-1-1 if it uses a predicate of the form I £ A^ (a;) with ip a level i formula, and 
no predicate of the form I £ A'^ (x) with <p of level greater than i. 

As an example the level 1 sentence p below defines the same timed language 
as the level 1 rec-IDA A defined in Section 2. We can take p to be Q a (0)A([l, 1] £ 
0^,(0)), where ip is the level 0 formula Qb{z) A Q a (z — 1) A Q a (z + 1). 

Theorem 6. L C T£ ^ is accepted by a rec-IDA over (£, Rop) iff L is definable 
by a rec-TMSO(A, Rop) sentence. 

In fact, we will show that for each i, the class of rec-IDA’s of level i correspond 
to the sentences of rec-TMSO(A, Rop) of level i. But first it will be useful to 
state a characterisation of floating languages along the lines of Theorem 2. 




80 



Deepak D’Souza and Nicolas Tabareau 



Theorem 7. Let L be a a floating language over £ . Then L = L? (B) for some 
floating IDA B over (£, Op) iff L = L^(ip), for some TMSO(JC, Op) formula ip 
with one free variable. 

Proof. Let B be a floating IDA over (£, Op). Keeping in mind that B runs over 
the alphabet £ x {0, 1}, we define a formula ip with one free variable z as follows. 
ip is the formula ip given in the proof of Theorem 2, except for the clause (*) 
which we replace by 



A \/x((x = z) => V (a :£l, A (x+l ) £ Xj AQ a (x)Ag') 

Qi — ► qj 

A {x z) \J (i£lj A (ifl)elj A Q a {x) A g')). 



((a,0),g) 

Qi * Qj 



The formula ip satisfies (a ,i) € L? (B) iff a, [i/z] |= ip. 

In the converse direction, let ip(m,ri) denote a TMSO(A, Op) formula with 
free variables x \, . . . , x m , X\ . . . X n . An interpretation I for these variables is 
encoded (along with a) as a timed word over £ x {0, l} m+ ”. We extend the 
definition of a floating IDA to an IDA which works over such an alphabet, where, 
in particular, the A operators apply only to the £ component of the timed 
word. Then we can inductively associate with n) a floating IDA B over 
£ x {0, iy m+n such that L* {B) = L^{ip). In the inductive step for 3X n (ip(m, n )) 
we make use of the fact that the class of languages accepted by floating IDA’s 
over (£, Op) are closed under the restricted renaming operation required in this 
case. The reader is referred to [6] for a similar argument. □ 



Returning now to the proof of Theorem 6, we use induction on the level of 
automata and formulas to argue that 

1. L C T£ u is accepted by a level i rec-IDA over (£, Rop) iff L is definable by 
a level i rec-TMSO(A', Rop) sentence <p. And 

2. A floating language L over £ is accepted by a level i frec-IDA over (£, Rop) 
iff L is definable by a level i rec-TMSO(A, Rop) formula ip with one free 
variable. 



For the base case we consider level 0 automata and sentences. Since level 0 
automata only make use of the guard T, they are simply Birchi automata over 
£. Similarly, level 0 sentences don’t use any A predicates and hence they are 
simply MSO(A) sentences. By Biichi’s theorem, we have that level 0 automata 
and sentences are expressively equivalent. 

For the base case for the second part of the claim, given a level 0 floating 
automaton B we can apply the construction in the proof of Theorem 7 to get a 
TMSO(A) formula ip with one free variable. Since the construction preserves the 
guards used, ip has no A operators, and hence is a level 0 rec-TMSO(A, Rop) 
formula. Conversely, for a level 0 formula ip we can apply the construction of 
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Theorem 7 to obtain a floating automaton B such that L^(B) = L^{ip). The 
construction preserves the A operators used, and hence B is a level 0 automaton. 

Turning now to the induction step, let A be a level i + 1 automaton over 
(£, Rop). Let Op be the set of top-level A operators in A. Now since A is an 
IDA over (£, Op), by Theorem 2, we have a TMSO(li, Op) sentence p such 
that L(A) = L(p). Now for each As in Op, B is of level i or lower, and by our 
induction hypothesis there is a corresponding rec-TMSO(A, Rop) formula if) with 
one free variable, of the same level as B, with L^(B) = L^(ip). Hence for each As 
we have a semantically equivalent operator A^. This is because L?(B) = L^(ip), 
which implies pos(cr,B) = pos(a,ip), which in turn implies [Ag] = [A^]. We 
can now simply replace each occurrence of As in p to get an equivalent sentence 
p' which is in rec-TMSO(E, Rop). Further, by construction, p' is of level i + 1. 

Conversely, let p be a level i + 1 sentence in rec-TMSO(E, Rop). Let Op be 
the set of top level A operators in p. Then p is a TMSO(E, Op) sentence, and 
hence by Theorem 2 we have an equivalent input determined automaton A over 
{£ , Op). Once again, for each Ap> in Op, the formula ip is of level i or lower, and 
hence by induction hypothesis we have a frec-IDA B over (£, Rop), of the same 
level as ip, and accepting the same floating language. The operators A^ and 
As are now equivalent, and we can replace each A,;, in A by the corresponding 
As to get a language equivalent input determined automaton. This automaton 
is now the required level i + 1 rec-IDA over (£, Rop) which accepts the same 
language as L(p). 

The induction step for part 2 is proved similarly, making use of Theorem 7 
and the induction hypothesis. This completes the proof of Theorem 6. □ 

8 Expressive Completeness of rec-TLTL 

We now define a recursive timed temporal logic along the lines of [10]. The 
logic is similar to the logic TLTL defined in Sec. 5. It is parameterized by an 
alphabet £ and a set of recursive input determined operators Rop, and denoted 
rec-TLTL(E, Rop). The syntax of the logic is given by 

9 ::= a \ I £ A e \ 09 \ 06 \ {QUO) \ ( 0S9 ) \ -.0 | (0 V 0), 
where a £ £, and A £ Rop. 

The logic is interpreted over timed words in a similar manner to TLTL. The 
predicate I £ Ag is interpreted as follows. If 6 does not use a A predicate, then 
the satisfaction relation cr,i |= 9 is defined as for TLTL. Inductively assuming 
the semantics of a rec-TLTL(E, Rop) formula 9 has been defined, and setting 
pos(a,9) = {i £ N | <j, i |= 0}, the operator Ag is interpreted as an input 
determined operator with the semantic function 

[Ae](cr ,i) = \A\(pos(a,9),a,i). 

The satisfaction relation a, i |= / £ Ag is then defined as in TLTL. 

Once again, since Ag behaves like an input determined operator, each formula 
in rec-TLTL(E, Rop) is also a TLTL(E', Op) formula, for an appropriately chosen 
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set of input determined operators Op, containing operators of the form Ag. A 
rec-TLTL(£, Rop) formula 0 naturally defines both a timed language L{9) = 
{cr G T£ u | a, 0 (= 8} and a floating language (ff) = {(er, i) \ a, i |= 9}. 

As an example, the formula a A ([1, 1] G Og) where 9 = b A Oa A Oa, restates 
the property expressed by the rec-TMSO formula in Sec. 7. 

Let us denote by rec-TFO(£, Rop) the first-order fragment of the logic 
rec-TMSO (£, Rop). Then we have the following expressive completeness result: 

Theorem 8. rec-TLTL(£, Rop) is expressively equivalent to rec-TFO(23, Rop). 

Proof. We show by induction on i that (1) A timed language L C T£ u is 
definable by a level i rec-TLTL(£, Rop) formula iff it is definable by a level i 
rec-TFO(£, Rop) sentence. (2) A floating timed language over £ is definable by 
a level i rec-TLTL(£, Rop) formula iff it is definable by a level i rec-TFO(I7, Rop) 
formula with one free variable. We need to make use of the following result due 
to Kamp: 

Theorem 9 ([11]). For any FO(A) formula if with one free variable z, there 
is a LTL(A) formula 9 s.t. for each a G A£ and i G N, a, [i/z] |= if iff a,i f= 9. 

The proof now proceeds similarly to that of Theorem 6, and Theorem 3 where 
we make use of the translations s-t and t-s. The details can be found in [7]. □ 

9 Expressive Completeness of MITL 

As an application of the results in this paper we show that the logic MITL 
introduced in [2] is expressively equivalent to rec-TFO for a suitably defined set 
of recursive input determined operators. We point out here that this result is 
shown for the pointwise semantics of MITL given below. We begin with the logic 
MTL(A) which has the following syntax [4]: 

9 ::= a\O9\09\ (0C//0) \ (05/0) | -.0 | (0 V 0). 

Here I is an interval inXQ. When / is restricted to be non-singular (i.e. not of the 
form [ r, r ]) then we get the logic MITL(Aj. The logic is interpreted over timed 
words in T£ u similarly to TLTL. The modalities Ui and Si are interpreted as 
follows, for a timed word a = (a, r). 

er, i |= 9Uip iff 3 k > i : <j,k \= rj, r(k) — r(z) G /, and Vj : i < j < k, a,j |= 9 

er, i |= 9Si g iff 3k < i : <j,k \= rj, r(i) — r(k) G /, and Vj : k < j < i, a,j |= 9. 

We first observe that MTL(£j is expressively equivalent to its sublogic 
MTL°(Zj in which the modalities Ui and Si are replaced by the modalities U, 
S, O/ and Oj, where U and S are as usual and 0/0 = TUi9 and 0/0 = T 5/0. 
This is because the formula 9Uir] (and dually 05 /tj) can be translated as follows. 
Here “)’ denotes either a “]’ or “)’ interval bracket. 

( O/77 A □[() , a )(0C/(0 A Orff) if / = [a, b), a > 0 
nrr „ _ J 0/7? A □[o,a](0C(0 A Op)) if I = (a,6),a > 0 
1 I 0/? ? A (9Urj) if I = [0, b) 

[ 0/?7 A (0/7(0 A O77)) if/ =(0,6). 
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Next we consider the logic rec-TLTL(X, {O, O}). The logic MTL°(27) is 
clearly expressively equivalent to rec-TLTL(X, {O, <S>}) since the predicates O id 
and I £ <>g are equivalent. Using Theorem 8 we can now conclude that 

Theorem 10. MTL(U) is expressively equivalent to rec-TFO(U, {O, <$>}). 

Let rec-TFO^ denote the restriction of rec-TFO to non-singular intervals. 
Then since the translation of MTL to MTL° does not introduce any singular 
intervals, and the constructions in Theorem 8 preserve the interval vocabulary of 
the formulas, we conclude that the logics MITL(U) and rec-TFO^(JF, {O, 0}) 
are expressively equivalent. 



References 

1. R. Alur, D. L. Dill: A theory of timed automata, Theoretical Computer Science 
126: 183-235 (1994). 

2. R. Alur, T. Feder, T. A. Henzinger: The benefits of relaxing punctuality, J. ACM 
43, 116-146 (1996). 

3. R. Alur, L. Fix, T. A. Henzinger: Event-clock automata: a determinizable class of 
timed automata, Proc. 6th CAV, LNCS 818, 1-13, Springer- Verlag (1994). 

4. R. Alur, T. A. Henzinger: Real-time logics: complexity and expressiveness, Infor- 
mation and Computation 104, 35-77 (1993). 

5. J. R. Biichi: Weak second-order arithmetic and finite automata, Zeitschrift fur 
Math. Logik und Grundlagen der Mathematik , 6, 66-92 (1960). 

6. D. D’Souza: A Logical Characterisation of Event Clock Automata, in J. Founda- 
tions of Computer Science , 14, No. 4, World Scientific (2003). 

7. D. D’Souza, N. Tabareau: On timed automata with input-determined guards, Tech- 
nical report TR-2004-1, CSA/IISc, (http://archive.csa.iisc.ernet.in/TR). 

8. D. D’Souza, P. S. Thiagarajan: Product Interval Automata: A Subclass of Timed 
Automata, Proc. 19th FSTTCS, LNCS 1732 (1999). 

9. D. Gabbay, A. Pnueli, S. Shelah, J. Stavi: The Temporal Analysis of Fairness, Sev- 
enth ACM Symposium on Principles of Programming Languages , 163-173 (1980). 

10. T. A. Henzinger, J.-F. Raskin, and P.-Y. Schobbens: The regular real-time lan- 
guages, Proc. 25th ICALP 1998, LNCS 1443, 580-591 (1998). 

11. H. Kamp: Tense Logic and the Theory of Linear Order, PhD Thesis, University of 
California (1968). 

12. R. Koymans: Specifying real-time properties with metric temporal logic, Real-time 
Systems, 2(4), 255-299 (1990). 

13. A. Pnueli: The temporal logic of programs, Proc. 18th IEEE FOCS , 46-57 (1977). 

14. J. -F. Raskin: Logics, Automata and Classical Theories for Deciding Real Time, 
Ph.D Thesis, FUNDP, Belgium (1999). 

15. J. -F. Raskin, P. -Y. Schobbens: State-clock Logic: A Decidable Real-Time Logic, 
Proc. HART ’97: Hybrid and Real-Time Systems, LNCS 1201 , 33-47 (1997). 

16. W. Thomas: Automata on Infinite Objects, in J. V. Leeuwen (Ed.), Handbook of 
Theoretical Computer Science, Vol. B, 133-191, Elsevier (1990). 

17. Th. Wilke: Specifying Timed State Sequences in Powerful Decidable Logics and 
Timed Automata, in Proc. 3rd FTRTFT, LNCS 863, 694-715 (1994). 




Decomposing Verification 
of Timed I/O Automata 



Dilsun Kirli Kaynar and Nancy Lynch 

MIT Computer Science and Artificial Intelligence Laboratory 

{dilsun, lynch}@csail .mit . edu 



Abstract. This paper presents assume-guarantee style substitutivity re- 
sults for the recently published timed I/O automaton modeling frame- 
work. These results are useful for decomposing verification of systems 
where the implementation and the specification are represented as timed 
I/O automata. We first present a theorem that is applicable in verifica- 
tion tasks in which system specifications express safety properties. This 
theorem has an interesting corollary that involves the use of auxiliary 
automata in simplifying the proof obligations. We then derive a new re- 
sult that shows how the same technique can be applied to the case where 
system specifications express liveness properties. 



1 Introduction 

The timed I/O automata (TIOA) modeling framework [KLSV03a,KLSV03b] 
provides a composition operation , by which TIOAs modeling individual timed 
system components can be combined to produce a model for a larger timed 
system. The model for the composed system can describe interactions among 
the components, which involves joint participation in discrete transitions. Com- 
position requires certain “compatibility” conditions, namely, that each output 
action be controlled by at most one automaton, and that internal actions of one 
automaton cannot be shared by any other automaton. 

The composition operation for TIOAs satisfies projection and pasting results, 
which are fundamental for compositional design and verification of systems: a 
trace of a composition of TIOAs “projects” to give traces of the individual 
TIOAs, and traces of components are “pastable” to give behaviors of the com- 
position. This allows one to derive conclusions about the behavior of a large 
system by combining the results obtained from the analysis of each individual 
component. 

The composition operation for TIOAs also satisfies a basic substitutivity 
result that states that the composition operation respects the implementation 
relation for TIOAs. An automaton Ai is said to implement an automaton A 2 if 
the set of traces of Ai is included in the the set of traces of A 2 ■ The implementa- 
tion relation is a congruence with respect to parallel composition. That is, given 
an automaton B , if Ai implements A 2 then the composition implements 

the composition ^4 2 II A corollary of this basic substitutivity result is that, if 
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A\ implements a specification A 2 and £>1 implements a specification B 2 then 
-4i||£?i implements A 2 \\B 2 - 

The basic substitutivity property described above is desirable for any for- 
malism for interacting processes. For design purposes, it enables one to refine 
individual components without violating the correctness of the system as a whole. 
For verification purposes, it enables one to prove that a composite system sat- 
isfies its specification by proving that each component satisfies its specification, 
thereby breaking down the verification task into more manageable pieces. How- 
ever, it might not always be possible or easy to show that each component Ai 
(resp. Bi) satisfies its specification A 2 (resp. £> 2 ) without using any assumptions 
about the environment of the component. Assume- guarantee style results such as 
those presented in [Jon83,Pnu84,Sta85,AL93,AL95,HQR00,TAKB96] are special 
kinds of substitutivity results that state what guarantees are expected from each 
component in an environment constrained by certain assumptions. Since the en- 
vironment of each component consists of the other components in the system, 
assume-guarantee style results need to break the circular dependencies between 
the assumptions and guarantees for components. 

This paper presents assume-guarantee style theorems for use in verification 
and analysis of timed systems within the TIOA framework. The first theorem 
allows one to conclude that Ai|j£3i implements A 2 WB 2 provided that A\ im- 
plements A 2 in the context of B 2 and B\ implements £>2 in the context of A 2 , 
where A 2 and B 2 express safety constraints and admit arbitrary time-passage. 
This theorem has an interesting corollary that involves the use of auxiliary au- 
tomata A 3 and B 3 in decomposing the proof that Ai||£?i implements A 2 IIH 2 . 
The main idea behind this corollary is to capture, by means of A 3 and B 3 , what 
is essential about the behavior of the contexts A 2 and £>2 in proving the imple- 
mentation relationship. The second theorem extends this corollary to the case 
where liveness conditions are added to automaton specifications. This theorem 
requires one to find the appropriate auxiliary liveness properties for A 3 and B 3 , 
in addition to what is already needed for proving the safety part of the specifi- 
cation. The liveness properties devised for A 3 and B 3 are supposed to capture 
what liveness guarantees of the contexts A 2 and B 2 are essential in showing the 
implement ation relationship . 

Related Work. The results of this paper constitute the first assume-guarantee 
style results for timed I/O automata. Assume-guarantee reasoning has been pre- 
viously investigated in various formal frameworks, most commonly, in frame- 
works based on temporal logics [Pnu84,Sta85,AL93,AL95] and reactive mod- 
ules [HQR00,HQR02]. Although some of these frameworks such as TLA and 
reactive modules can be extended to support modeling of timed system behav- 
ior [AL94,AH97], it is hard to understand whether all of the results and reasoning 
techniques obtained for their untimed versions generalize to the timed setting. 
The work presented in [TAKB96] considers a framework based on timed pro- 
cesses that underlies the language of the tool COSPAN [AK96]. The focus of 
that paper is timed simulation relations, how they relate to verification based 
on language inclusion and algorithmic aspects of checking for timed simulations. 
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The topic of assume-guarantee reasoning is visited only for a single theorem, 
which is akin to the first theorem of this paper. Our other theorems that involve 
the use of auxiliary automata and liveness properties appear to incorporate novel 
and simple ideas that have not been investigated before in decomposing verifi- 
cation of timed systems. 

Organization of the Paper. Section 2 introduces the basic concepts of the TIOA 
framework, and gives the basic definitions and results relevant to what its pre- 
sented in the rest of the paper. This section also states the notational conventions 
used in writing the TIOA specifications that appear in the examples. Section 3 
gives a theorem and its corollary that can be used in decomposing verification 
of systems where the TIOAs express safety properties. Section 4 shows how the 
ideas of Section 3 can be applied to decomposition of verification where TIOAs 
express liveness properties as well as safety properties. Section 5 summarizes the 
contributions of the paper and discusses possible directions for future work. 



2 Timed I/O Automata 

In this section, we present briefly the basic definitions and results from the timed 
I/O modeling framework that are necessary to understand the material in this 
paper. The reader is referred to [KLSV03a] for the details. 

2.1 Describing Timed System Behavior 

We use the set R of real numbers as the domain (in [KLSV03a] other time 
domains are also considered). A time interval is a nonempty, convex subset of 
R. An interval is left-closed (right-closed) if it has a minimum (resp., maximum) 
element, and left-open (right-open) otherwise. It is closed if it is both left-closed 
and right-closed. 

States of automata will consist of valuations of variables. Each variable has 
both a static type , which defines the set of values it may assume, and a dynamic 
type, which gives the set of trajectories it may follow. We assume that dynamic 
types are closed under some simple operations: shifting the time domain, taking 
subintervals and pasting together intervals. We call a variable discrete if its 
dynamic type equals the pasting-closure of a set of constant-valued functions 
(i.e., the step-functions), and analog if its dynamic type equals the pasting- 
closure of a set of continuous functions (i.e., the piecewise-continuous functions). 

A valuation for a set V of variables is a function that associates with each 
variable v £ V a value in its static type. We write val(V ) for the set of all 
valuations for V. A trajectory for a set V of variables describes the evolution 
of the variables in V over time; formally, it is a function from a time interval 
that starts with 0 to valuations of V , that is, a trajectory defines a value for 
each variable at each time in the interval. We write trajs(V) for the set of all 
trajectories for V. A point trajectory is one with the trivial domain {0}. The limit 
time of a trajectory r, r.ltime, is the supremum of the times in its domain. We 
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say that a trajectory is closed if its domain is a closed interval, r.fval is defined 
to be the first valuation of r, and if r is closed, r.lval is the last valuation. 
Suppose r and r' are trajectories for V, with r closed. The concatenation of r 
and t' , denoted by r ~ r', is the trajectory obtained by taking the union of the 
first trajectory and the function obtained by shifting the domain of the second 
trajectory until the start time agrees with the limit time of the first trajectory; 
the last valuation of the first trajectory, which may not be the same as the first 
valuation of the second trajectory, is the one that appears in the concatenation. 

The notion of a hybrid sequence is used to model a combination of changes 
that occur instantaneously and changes that occur over intervals of time. Our 
definition is parameterized by a set A of discrete actions and a set V of variables. 
Thus, an (A, V)-sequence is a finite or infinite alternating sequence, To ai n 02 T 2 
. . ., of trajectories over V and actions in A. A hybrid sequence is any (A, V)- 
sequence. The limit time of a hybrid sequence a, denoted by a.ltime, is defined 
by adding the limit times of all its trajectories. Hybrid sequence a is defined to 
be admissible if a.ltime = 00 , and closed if it is a finite sequence and the domain 
of its final trajectory is a closed interval. Like trajectories, hybrid sequences can 
be concatenated, and one can be a prefix of another. If a is a closed (A, V)- 
sequence, where V = 0 and /3 £ trajs/tf), we call cn /3 a time- extension of a. A 
hybrid sequence can also be restricted to smaller sets of actions and variables: 
the (A' ,V')~ restriction of an (A, V) -sequence a is obtained by first projecting 
all trajectories of a on the variables in V', then removing the actions not in A', 
and finally concatenating all adjacent trajectories. 

A set S of hybrid sequences is said to be closed under limits if for each chain 
(with respect to prefix ordering) of closed hybrid sequences in S, the limit of the 
chain is in S. 

2.2 Timed I/O Automata Definition 

Formally, a timed I/O automaton (TIOA) consists of: 

— A set X of internal variables. 

— A set Q C val(X) of states. 

— A nonempty set O C Q of start states. 

— A set H of internal actions, a set / of input actions and a set O of output 
actions. We write E = I U O for the set of external actions and A = E U H 
for the set of all actions. Actions in L = H U O are called locally controlled. 

— A set PCQxAxQof discrete transitions. 

We use xAx'as shorthand for (x, a, x') £ V. We say that a is enabled in 
x if (x, a,x') £ V for some x'. 

— A set T of trajectories for X such that r(t) £ Q for every r £ T and every 
t in the domain of r. Given a trajectory r £ T we denote r.fval by t. /state 
and, if r is closed, we denote r.lval by r.lstate. 

We require that the set of trajectories be closed under the operations of prefix, 
suffix, and concatenation and that there is a point trajectory for every state of 
the automaton. Moreover, the following axioms are satisfied: 




